centersl/docker-docs
1
0
Fork 0
mirror of https://github.com/docker/docs.git synced 2026-03-27 14:28:47 +07:00
Code Issues Packages Projects Releases Wiki Activity

Fix issue #24286: document admin-settings.json sign-in enforcement (#24444)

Browse Source 
Documents that the presence of admin-settings.json file enforces sign-in
on Docker Desktop.

Changes:
- Added important note in Prerequisites section explaining that the
file's presence enforces sign-in (behavior since Docker Desktop 4.29)
- Clarifies this is intended for business features that require
authentication

This addresses user confusion about why Docker Desktop requires sign-in
after adding the admin-settings.json file.

Fixes #24286

---------

Co-authored-by: David Karlsson <dvdksn@users.noreply.github.com>
This commit is contained in:
David Karlsson
2026-03-23 10:17:36 +01:00
committed by GitHub
parent c5a02e3e14
commit 50999013a6
1 changed files with 95 additions and 93 deletions
Download Patch File Download Diff File Expand all files Collapse all files

188
content/manuals/enterprise/security/hardened-desktop/settings-management/configure-json-file.md
View File

@@ -5,9 +5,9 @@ description: Configure and enforce Docker Desktop settings using an admin-settin
keywords: admin controls, settings management, configuration, enterprise, docker desktop, json file
weight: 10
aliases:
- /desktop/hardened-desktop/settings-management/configure/
- /security/for-admins/hardened-desktop/settings-management/configure/
- /security/for-admins/hardened-desktop/settings-management/configure-json-file/
- /desktop/hardened-desktop/settings-management/configure/
- /security/for-admins/hardened-desktop/settings-management/configure/
- /security/for-admins/hardened-desktop/settings-management/configure-json-file/
---
{{< summary-bar feature_name="Hardened Docker Desktop" >}}
@@ -19,13 +19,15 @@ Settings Management lets you configure and enforce Docker Desktop settings acros
Before you begin, make sure you have:
- [Enforce sign-in](/manuals/enterprise/security/enforce-sign-in/_index.md) for
your organization
your organization
- A Docker Business subscription
Docker Desktop only applies settings from the `admin-settings.json` file when both authentication and Docker Business license checks succeed.
> [!IMPORTANT]
>
> The presence of the `admin-settings.json` file enforces sign-in on Docker Desktop (behavior since version 4.29). This is intended for business features that require authentication.
>
> Users must be signed in and part of a Docker Business organization. If either condition isn't met, the settings file is ignored.
## Step one: Create the settings file
@@ -33,12 +35,12 @@ Docker Desktop only applies settings from the `admin-settings.json` file when bo
You can create the `admin-settings.json` file in two ways:
- Use the `--admin-settings` installer flag to auto-generate the file:
- [macOS](/manuals/desktop/setup/install/mac-install.md#install-from-the-command-line) installation guide
- [Windows](/manuals/desktop/setup/install/windows-install.md#install-from-the-command-line) installation guide
- [macOS](/manuals/desktop/setup/install/mac-install.md#install-from-the-command-line) installation guide
- [Windows](/manuals/desktop/setup/install/windows-install.md#install-from-the-command-line) installation guide
- Create it manually (UTF-8 without BOM) and place it in the following locations:
- Mac: `/Library/Application\ Support/com.docker.docker/admin-settings.json`
- Windows: `C:\ProgramData\DockerDesktop\admin-settings.json`
- Linux: `/usr/share/docker-desktop/admin-settings.json`
- Mac: `/Library/Application\ Support/com.docker.docker/admin-settings.json`
- Windows: `C:\ProgramData\DockerDesktop\admin-settings.json`
- Linux: `/usr/share/docker-desktop/admin-settings.json`
> [!IMPORTANT]
>
@@ -56,7 +58,7 @@ Each setting supports a `locked` field that controls user permissions:
- When `locked` is set to `true`, users can't change that value in Docker Desktop, the CLI, or config files.
- When `locked` is set to `false`, the value acts like a default suggestion and users
can still update it.
can still update it.
Settings where `locked` is set to `false` are ignored on existing installs if
a user has already customized that value in `settings-store.json`,
@@ -119,7 +121,7 @@ The following sample is an `admin-settings.json` file with common enterprise set
"http": "",
"https": "",
"exclude": [],
"pac":"",
"pac": "",
"embeddedPac": "",
"transparentPorts": ""
},
@@ -146,23 +148,23 @@ The following sample is an `admin-settings.json` file with common enterprise set
},
"dockerDaemonOptions": {
"locked": false,
"value":"{\"debug\": false}"
"value": "{\"debug\": false}"
},
"vpnkitCIDR": {
"locked": false,
"value":"192.168.65.0/24"
"value": "192.168.65.0/24"
}
},
"kubernetes": {
"locked": false,
"enabled": false,
"showSystemContainers": false,
"imagesRepository": ""
"locked": false,
"enabled": false,
"showSystemContainers": false,
"imagesRepository": ""
},
"windowsContainers": {
"dockerDaemonOptions": {
"locked": false,
"value":"{\"debug\": false}"
"value": "{\"debug\": false}"
}
},
"disableUpdate": {
@@ -196,7 +198,7 @@ The following sample is an `admin-settings.json` file with common enterprise set
"sharedByDefault": true
},
{
"path":"$TMP",
"path": "$TMP",
"sharedByDefault": false
}
],
@@ -275,74 +277,74 @@ The following tables describe all available settings in the `admin-settings.json
### General settings
|Parameter|OS|Description|Version|
|:-------------------------------|---|:-------------------------------|---|
|`configurationFileVersion`| |Specifies the version of the configuration file format.| |
|`analyticsEnabled`| |If `value` is set to false, Docker Desktop doesn't send usage statistics to Docker. | |
|`disableUpdate`| |If `value` is set to true, checking for and notifications about Docker Desktop updates is disabled.| |
| `blockDockerLoad` | | If `value` is set to `true`, users are no longer able to run [`docker load`](/reference/cli/docker/image/load/) and receive an error if they try to.| |
| `displayedOnboarding` | | If `value` is set to `true`, the onboarding survey will not be displayed to new users. Setting `value` to `false` has no effect. | Docker Desktop version 4.30 and later |
| `desktopTerminalEnabled` | | If `value` is set to `false`, developers cannot use the Docker terminal to interact with the host machine and execute commands directly from Docker Desktop. | |
|`exposeDockerAPIOnTCP2375`| Windows only| Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules.| |
| `silentModulesUpdate` | | If `value` is set to `true`, Docker Desktop automatically updates components that don't require a restart. For example, the Docker CLI or Docker Scout components. | Docker Desktop version 4.46 and later. |
| Parameter | OS | Description | Version |
| :------------------------- | ------------ | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- |
| `configurationFileVersion` | | Specifies the version of the configuration file format. | |
| `analyticsEnabled` | | If `value` is set to false, Docker Desktop doesn't send usage statistics to Docker. | |
| `disableUpdate` | | If `value` is set to true, checking for and notifications about Docker Desktop updates is disabled. | |
| `blockDockerLoad` | | If `value` is set to `true`, users are no longer able to run [`docker load`](/reference/cli/docker/image/load/) and receive an error if they try to. | |
| `displayedOnboarding` | | If `value` is set to `true`, the onboarding survey will not be displayed to new users. Setting `value` to `false` has no effect. | Docker Desktop version 4.30 and later |
| `desktopTerminalEnabled` | | If `value` is set to `false`, developers cannot use the Docker terminal to interact with the host machine and execute commands directly from Docker Desktop. | |
| `exposeDockerAPIOnTCP2375` | Windows only | Exposes the Docker API on a specified port. If `value` is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules. | |
| `silentModulesUpdate` | | If `value` is set to `true`, Docker Desktop automatically updates components that don't require a restart. For example, the Docker CLI or Docker Scout components. | Docker Desktop version 4.46 and later. |
### Extensions
|Parameter|OS|Description|Version|
|:-------------------------------|---|:-------------------------------|---|
|`extensionsEnabled`| |If `value` is set to false, Docker Extensions are disabled. | |
| `onlyMarketplaceExtensions` | | If `value` is set to true, developers are blocked from installing other extensions via the command line.| |
| `extensionsPrivateMarketplace` | | If `value` is set to true, activates the private marketplace is enabled which ensures Docker Desktop connects to content defined and controlled by the administrator instead of the public Docker marketplace. | |
| `extensionsPrivateMarketplaceAdminContactURL` | | Defines a contact link for developers to request new extensions in the private marketplace. | |
| Parameter | OS | Description | Version |
| :-------------------------------------------- | --- | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `extensionsEnabled` | | If `value` is set to false, Docker Extensions are disabled. | |
| `onlyMarketplaceExtensions` | | If `value` is set to true, developers are blocked from installing other extensions via the command line. | |
| `extensionsPrivateMarketplace` | | If `value` is set to true, activates the private marketplace is enabled which ensures Docker Desktop connects to content defined and controlled by the administrator instead of the public Docker marketplace. | |
| `extensionsPrivateMarketplaceAdminContactURL` | | Defines a contact link for developers to request new extensions in the private marketplace. | |
### File sharing and emulation
|Parameter|OS|Description|Version|
|:-------------------------------|---|:-------------------------------|---|
| `filesharingAllowedDirectories` | | Specify which paths your developers can add file shares to. Also accepts `$HOME`, `$TMP`, or `$TEMP` as `path` variables. When a path is added, its subdirectories are allowed. If `sharedByDefault` is set to `true`, that path will be added upon factory reset or when Docker Desktop first starts. | |
| `useVirtualizationFrameworkVirtioFS`| macOS only | If `value` is set to `true`, VirtioFS is set as the file sharing mechanism. Note: If both `useVirtualizationFrameworkVirtioFS` and `useGrpcfuse` have `value` set to `true`, VirtioFS takes precedence. Likewise, if both `useVirtualizationFrameworkVirtioFS` and `useGrpcfuse` have `value` set to `false`, osxfs is set as the file sharing mechanism. | |
| `useGrpcfuse` | macOS only | If `value` is set to `true`, gRPC Fuse is set as the file sharing mechanism. | |
| `useVirtualizationFrameworkRosetta`| macOS only | If `value` is set to `true`, Docker Desktop turns on Rosetta to accelerate x86_64/amd64 binary emulation on Apple Silicon. Note: This also automatically enables `Use Virtualization framework`. | Docker Desktop version 4.29 and later. |
| Parameter | OS | Description | Version |
| :----------------------------------- | ---------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- |
| `filesharingAllowedDirectories` | | Specify which paths your developers can add file shares to. Also accepts `$HOME`, `$TMP`, or `$TEMP` as `path` variables. When a path is added, its subdirectories are allowed. If `sharedByDefault` is set to `true`, that path will be added upon factory reset or when Docker Desktop first starts. | |
| `useVirtualizationFrameworkVirtioFS` | macOS only | If `value` is set to `true`, VirtioFS is set as the file sharing mechanism. Note: If both `useVirtualizationFrameworkVirtioFS` and `useGrpcfuse` have `value` set to `true`, VirtioFS takes precedence. Likewise, if both `useVirtualizationFrameworkVirtioFS` and `useGrpcfuse` have `value` set to `false`, osxfs is set as the file sharing mechanism. | |
| `useGrpcfuse` | macOS only | If `value` is set to `true`, gRPC Fuse is set as the file sharing mechanism. | |
| `useVirtualizationFrameworkRosetta` | macOS only | If `value` is set to `true`, Docker Desktop turns on Rosetta to accelerate x86_64/amd64 binary emulation on Apple Silicon. Note: This also automatically enables `Use Virtualization framework`. | Docker Desktop version 4.29 and later. |
### Docker Scout
|Parameter|OS|Description|Version|
|:-------------------------------|---|:-------------------------------|---|
|`scout`| | Setting `useBackgroundIndexing` to `false` disables automatic indexing of images loaded to the image store. Setting `sbomIndexing` to `false` prevents users from being able to index image by inspecting them in Docker Desktop or using `docker scout` CLI commands. | |
| Parameter | OS | Description | Version |
| :-------- | --- | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `scout` | | Setting `useBackgroundIndexing` to `false` disables automatic indexing of images loaded to the image store. Setting `sbomIndexing` to `false` prevents users from being able to index image by inspecting them in Docker Desktop or using `docker scout` CLI commands. | |
### Proxy settings
|Parameter|OS|Description|Version|
|:-------------------------------|---|:-------------------------------|---|
|`proxy`| |If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores any values set for `http`, `https` and `exclude`. Change `mode` to `manual` to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property, for example `"https": "http://myotherproxy.com:4321"`. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. | |
| `windowsDockerdPort`| Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. If it is set to 0, a random free port is chosen. If the value is greater than 0, use that exact value for the port. The default value is -1 which disables the option. | |
|`enableKerberosNtlm`| |When set to `true`, Kerberos and NTLM authentication is enabled. Default is `false`. For more information, see the settings documentation. | Docker Desktop version 4.32 and later. |
| `pac` | | Specifies a PAC file URL. For example, `"pac": "http://proxy/proxy.pac"`. | |
| `embeddedPac` | | Specifies an embedded PAC (Proxy Auto-Config) script. For example, `"embeddedPac": "function FindProxyForURL(url, host) { return \"DIRECT\"; }"`. This setting takes precedence over HTTP, HTTPS, Proxy bypass and PAC server URL. | Docker Desktop version 4.46 and later. |
| Parameter | OS | Description | Version |
| :------------------- | ------------ | :---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- |
| `proxy` | | If `mode` is set to `system` instead of `manual`, Docker Desktop gets the proxy values from the system and ignores any values set for `http`, `https` and `exclude`. Change `mode` to `manual` to manually configure proxy servers. If the proxy port is custom, specify it in the `http` or `https` property, for example `"https": "http://myotherproxy.com:4321"`. The `exclude` property specifies a comma-separated list of hosts and domains to bypass the proxy. | |
| `windowsDockerdPort` | Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. If it is set to 0, a random free port is chosen. If the value is greater than 0, use that exact value for the port. The default value is -1 which disables the option. | |
| `enableKerberosNtlm` | | When set to `true`, Kerberos and NTLM authentication is enabled. Default is `false`. For more information, see the settings documentation. | Docker Desktop version 4.32 and later. |
| `pac` | | Specifies a PAC file URL. For example, `"pac": "http://proxy/proxy.pac"`. | |
| `embeddedPac` | | Specifies an embedded PAC (Proxy Auto-config) script. For example, `"embeddedPac": "function FindProxyForURL(url, host) { return \"DIRECT\"; }"`. This setting takes precedence over HTTP, HTTPS, Proxy bypass and PAC server URL. | Docker Desktop version 4.46 and later. |
### Container proxy
|Parameter|OS|Description|Version|
|:-------------------------------|---|:-------------------------------|---|
|`containersProxy` | | Creates air-gapped containers. For more information see [Air-Gapped Containers](../air-gapped-containers.md).| Docker Desktop version 4.29 and later. |
| `pac` | | Specifies a PAC file URL. For example, `"pac": "http://containerproxy/proxy.pac"`. | |
| `embeddedPac` | | Specifies an embedded PAC (Proxy Auto-Config) script. For example, `"embeddedPac": "function FindProxyForURL(url, host) { return \"PROXY 192.168.92.1:2003\"; }"`. This setting takes precedence over HTTP, HTTPS, Proxy bypass and PAC server URL. | Docker Desktop version 4.46 and later. |
| Parameter | OS | Description | Version |
| :---------------- | --- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- |
| `containersProxy` | | Creates air-gapped containers. For more information see [Air-Gapped Containers](../air-gapped-containers.md). | Docker Desktop version 4.29 and later. |
| `pac` | | Specifies a PAC file URL. For example, `"pac": "http://containerproxy/proxy.pac"`. | |
| `embeddedPac` | | Specifies an embedded PAC (Proxy Auto-config) script. For example, `"embeddedPac": "function FindProxyForURL(url, host) { return \"PROXY 192.168.92.1:2003\"; }"`. This setting takes precedence over HTTP, HTTPS, Proxy bypass and PAC server URL. | Docker Desktop version 4.46 and later. |
### Linux VM settings
|Parameter|OS|Description|Version|
|:-------------------------------|---|:-------------------------------|---|
| `linuxVM` | |Parameters and settings related to Linux VM options - grouped together here for convenience. | |
| &nbsp; &nbsp; &nbsp; &nbsp;`wslEngineEnabled` | Windows only | If `value` is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the `--backend=<backend name>` flag. | |
| &nbsp; &nbsp; &nbsp; &nbsp;`dockerDaemonOptions` | |If `value` is set to true, it overrides the options in the Docker Engine config file. See the [Docker Engine reference](/reference/cli/dockerd/#daemon-configuration-file). Note that for added security, a few of the config attributes may be overridden when Enhanced Container Isolation is enabled. | |
| &nbsp; &nbsp; &nbsp; &nbsp;`vpnkitCIDR` | |Overrides the network range used for vpnkit DHCP/DNS for `*.docker.internal` | |
| Parameter | OS | Description | Version |
| :----------------------------------------------- | ------------ | :------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `linuxVM` | | Parameters and settings related to Linux VM options - grouped together here for convenience. | |
| &nbsp; &nbsp; &nbsp; &nbsp;`wslEngineEnabled` | Windows only | If `value` is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the `--backend=<backend name>` flag. | |
| &nbsp; &nbsp; &nbsp; &nbsp;`dockerDaemonOptions` | | If `value` is set to true, it overrides the options in the Docker Engine config file. See the [Docker Engine reference](/reference/cli/dockerd/#daemon-configuration-file). Note that for added security, a few of the config attributes may be overridden when Enhanced Container Isolation is enabled. | |
| &nbsp; &nbsp; &nbsp; &nbsp;`vpnkitCIDR` | | Overrides the network range used for vpnkit DHCP/DNS for `*.docker.internal` | |
### Windows containers
|Parameter|OS|Description|Version|
|:-------------------------------|---|:-------------------------------|---|
| `windowsContainers` | | Parameters and settings related to `windowsContainers` options - grouped together here for convenience. | |
| &nbsp; &nbsp; &nbsp; &nbsp;`dockerDaemonOptions` | | Overrides the options in the Linux daemon config file. See the [Docker Engine reference](/reference/cli/dockerd/#daemon-configuration-file).| |
| Parameter | OS | Description | Version |
| :----------------------------------------------- | --- | :------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `windowsContainers` | | Parameters and settings related to `windowsContainers` options - grouped together here for convenience. | |
| &nbsp; &nbsp; &nbsp; &nbsp;`dockerDaemonOptions` | | Overrides the options in the Linux daemon config file. See the [Docker Engine reference](/reference/cli/dockerd/#daemon-configuration-file). | |
> [!NOTE]
>
@@ -350,9 +352,9 @@ The following tables describe all available settings in the `admin-settings.json
### Kubernetes settings
|Parameter|OS|Description|Version|
|:-------------------------------|---|:-------------------------------|---|
|`kubernetes`| | If `enabled` is set to true, a Kubernetes single-node cluster is started when Docker Desktop starts. If `showSystemContainers` is set to true, Kubernetes containers are displayed in the Docker Desktop Dashboard and when you run `docker ps`. The [imagesRepository](/manuals/desktop/use-desktop/kubernetes.md#configuring-a-custom-image-registry-for-kubernetes-control-plane-images) setting lets you specify which repository Docker Desktop pulls control-plane Kubernetes images from. | |
| Parameter | OS | Description | Version |
| :----------- | --- | :----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `kubernetes` | | If `enabled` is set to true, a Kubernetes single-node cluster is started when Docker Desktop starts. If `showSystemContainers` is set to true, Kubernetes containers are displayed in the Docker Desktop Dashboard and when you run `docker ps`. The [imagesRepository](/manuals/desktop/use-desktop/kubernetes.md#configuring-a-custom-image-registry-for-kubernetes-control-plane-images) setting lets you specify which repository Docker Desktop pulls control-plane Kubernetes images from. | |
> [!NOTE]
>
@@ -365,23 +367,23 @@ The following tables describe all available settings in the `admin-settings.json
### Networking settings
|Parameter|OS|Description|Version|
|:-------------------------------|---|:-------------------------------|---|
| `defaultNetworkingMode` | Windows and Mac only | Defines the default IP protocol for new Docker networks: `dual-stack` (IPv4 + IPv6, default), `ipv4only`, or `ipv6only`. | Docker Desktop version 4.43 and later. |
| `dnsInhibition` | Windows and Mac only | Controls DNS record filtering returned to containers. Options: `auto` (recommended), `ipv4`, `ipv6`, `none`| Docker Desktop version 4.43 and later. |
| `portBindingBehavior` | Linux-based containers only | Defines port binding restrictions and default behavior, allowing admins to control how a user exposes ports from their containers. Options: `default-port-binding`, `default-local-port-binding`, `local-only-port-binding` | Docker Desktop version 4.52 and later. |
| Parameter | OS | Description | Version |
| :---------------------- | --------------------------- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- |
| `defaultNetworkingMode` | Windows and Mac only | Defines the default IP protocol for new Docker networks: `dual-stack` (IPv4 + IPv6, default), `ipv4only`, or `ipv6only`. | Docker Desktop version 4.43 and later. |
| `dnsInhibition` | Windows and Mac only | Controls DNS record filtering returned to containers. Options: `auto` (recommended), `ipv4`, `ipv6`, `none` | Docker Desktop version 4.43 and later. |
| `portBindingBehavior` | Linux-based containers only | Defines port binding restrictions and default behavior, allowing admins to control how a user exposes ports from their containers. Options: `default-port-binding`, `default-local-port-binding`, `local-only-port-binding` | Docker Desktop version 4.52 and later. |
For more information, see [Networking](/manuals/desktop/features/networking.md#networking-mode-and-dns-behaviour-for-mac-and-windows).
### AI settings
| Parameter | OS | Description | Version |
|:----------------------------|---------------|:------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------|
| `enableInference` | | Setting `enableInference` to `true` enables [Docker Model Runner](/manuals/ai/model-runner/_index.md). | |
| `enableInferenceTCP` | | Enable host-side TCP support. This setting requires the Docker Model Runner setting to be enabled first. | |
| `enableInferenceTCPPort` | | Specifies the exposed TCP port. This setting requires the Docker Model Runner and Enable host-side TCP support settings to be enabled first. | |
| `enableInferenceCORS` | | Specifies the allowed CORS origins. Empty string to deny all,`*` to accept all, or a list of comma-separated values. This setting requires the Docker Model Runner and Enable host-side TCP support settings to be enabled first. | |
| `enableInferenceGPUVariant` | Windows only | Setting `enableInferenceGPUVariant` to `true` enables GPU-backed inference. The additional components required for this don't come by default with Docker Desktop, therefore they will be downloaded to `~/.docker/bin/inference`. | |
| Parameter | OS | Description | Version |
| :-------------------------- | ------------ | :--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `enableInference` | | Setting `enableInference` to `true` enables [Docker Model Runner](/manuals/ai/model-runner/_index.md). | |
| `enableInferenceTCP` | | Enable host-side TCP support. This setting requires the Docker Model Runner setting to be enabled first. | |
| `enableInferenceTCPPort` | | Specifies the exposed TCP port. This setting requires the Docker Model Runner and Enable host-side TCP support settings to be enabled first. | |
| `enableInferenceCORS` | | Specifies the allowed CORS origins. Empty string to deny all,`*` to accept all, or a list of comma-separated values. This setting requires the Docker Model Runner and Enable host-side TCP support settings to be enabled first. | |
| `enableInferenceGPUVariant` | Windows only | Setting `enableInferenceGPUVariant` to `true` enables GPU-backed inference. The additional components required for this don't come by default with Docker Desktop, therefore they will be downloaded to `~/.docker/bin/inference`. | |
### Beta features
@@ -389,18 +391,18 @@ For more information, see [Networking](/manuals/desktop/features/networking.md#n
>
> For Docker Desktop versions 4.41 and earlier, some of these settings lived under the **Experimental features** tab on the **Features in development** page.
| Parameter | OS | Description | Version |
|:-----------------------------------------------------|----|:----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------|
| `allowBetaFeatures` | | If `value` is set to `true`, beta features are enabled. | |
| `enableDockerAI` | | If `allowBetaFeatures` is true, setting `enableDockerAI` to `true` enables [Gordon](/manuals/ai/gordon/_index.md) by default. You can independently control this setting from the `allowBetaFeatures` setting. | |
| `enableDockerMCPToolkit` | | If `allowBetaFeatures` is true, setting `enableDockerMCPToolkit` to `true` enables the [MCP Toolkit feature](/manuals/ai/mcp-catalog-and-toolkit/toolkit.md) by default. You can independently control this setting from the `allowBetaFeatures` setting. | |
| `allowExperimentalFeatures` | | If `value` is set to `true`, experimental features are enabled. | Docker Desktop version 4.41 and earlier |
| Parameter | OS | Description | Version |
| :-------------------------- | --- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------- |
| `allowBetaFeatures` | | If `value` is set to `true`, beta features are enabled. | |
| `enableDockerAI` | | If `allowBetaFeatures` is true, setting `enableDockerAI` to `true` enables [Gordon](/manuals/ai/gordon/_index.md) by default. You can independently control this setting from the `allowBetaFeatures` setting. | |
| `enableDockerMCPToolkit` | | If `allowBetaFeatures` is true, setting `enableDockerMCPToolkit` to `true` enables the [MCP Toolkit feature](/manuals/ai/mcp-catalog-and-toolkit/toolkit.md) by default. You can independently control this setting from the `allowBetaFeatures` setting. | |
| `allowExperimentalFeatures` | | If `value` is set to `true`, experimental features are enabled. | Docker Desktop version 4.41 and earlier |
### Enhanced Container Isolation
|Parameter|OS|Description|Version|
|:-------------------------------|---|:-------------------------------|---|
|`enhancedContainerIsolation`| | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/_index.md).| |
| &nbsp; &nbsp; &nbsp; &nbsp;`dockerSocketMount` | | By default, enhanced container isolation blocks bind-mounting the Docker Engine socket into containers (e.g., `docker run -v /var/run/docker.sock:/var/run/docker.sock ...`). This lets you relax this in a controlled way. See [ECI Configuration](../enhanced-container-isolation/config.md) for more info. | |
| &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; `imageList` | | Indicates which container images are allowed to bind-mount the Docker Engine socket. | |
| &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; `commandList` | | Restricts the commands that containers can issue via the bind-mounted Docker Engine socket. | |
| Parameter | OS | Description | Version |
| :------------------------------------------------------------- | --- | :-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------- |
| `enhancedContainerIsolation` | | If `value` is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see [Enhanced Container Isolation](../enhanced-container-isolation/_index.md). | |
| &nbsp; &nbsp; &nbsp; &nbsp;`dockerSocketMount` | | By default, enhanced container isolation blocks bind-mounting the Docker Engine socket into containers (e.g., `docker run -v /var/run/docker.sock:/var/run/docker.sock ...`). This lets you relax this in a controlled way. See [ECI Configuration](../enhanced-container-isolation/config.md) for more info. | |
| &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; `imageList` | | Indicates which container images are allowed to bind-mount the Docker Engine socket. | |
| &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; &nbsp; `commandList` | | Restricts the commands that containers can issue via the bind-mounted Docker Engine socket. | |