使用JSON文件配置设置管理
目录
注意
设置管理仅适用于Docker商业客户。
本页面包含有关如何使用admin-settings.json文件配置设置管理的信息。您可以指定并锁定配置参数,以在公司或组织内创建标准化的Docker Desktop环境。
设置管理专为那些不给开发者提供机器根访问权限的组织设计。
先决条件
您首先需要 强制登录 以确保所有Docker Desktop开发者都通过您的组织进行身份验证。由于设置管理需要Docker Business订阅,强制登录保证了只有经过身份验证的用户才能访问,并且该功能在所有用户中始终有效,即使在没有强制登录的情况下它可能仍然有效。
第一步:创建admin-settings.json文件并将其保存在正确的位置
您可以在macOS或Windows上使用--admin-settings安装程序标志来自动创建admin-settings.json并将其保存在正确的位置,或者手动设置它。
手动设置:
创建一个新的、空的JSON文件,并将其命名为
admin-settings.json。将
admin-settings.json文件保存在开发人员的机器上的以下位置:- Mac:
/Library/Application\ Support/com.docker.docker/admin-settings.json - Windows:
C:\ProgramData\DockerDesktop\admin-settings.json - Linux:
/usr/share/docker-desktop/admin-settings.json
通过将此文件放置在受保护的目录中,开发人员无法修改它。
重要
假设您有能力通过设备管理软件(如Jamf)将
admin-settings.json设置文件推送到指定的位置。- Mac:
第二步:配置你想要锁定的设置
注意
一些配置参数仅适用于特定平台或特定版本的Docker Desktop。这在以下表格中有所突出显示。
admin-settings.json 文件需要一个嵌套的配置参数列表,每个参数都必须包含 locked 参数。您可以根据需要添加或删除配置参数。
如果 locked: true,用户将无法从 Docker Desktop 或 CLI 编辑此设置。
如果 locked: false,它类似于设置工厂默认值,因为:
对于新安装,
locked: false会在 Docker Desktop 仪表板中预填充相关设置,但用户可以修改它。如果Docker Desktop已经安装并正在使用,
locked: false将被忽略。这是因为Docker Desktop的现有用户可能已经更新了设置,这些设置随后会被写入相关的配置文件中,例如settings-store.json(或Docker Desktop 4.34及更早版本的settings.json)或daemon.json。在这些情况下,用户的偏好会被尊重,并且这些值不会被更改。这些可以通过设置locked: true来控制。
以下admin-settings.json代码和表格提供了参数和值所需语法和描述的示例:
{
"configurationFileVersion": 2,
"exposeDockerAPIOnTCP2375": {
"locked": true,
"value": false
},
"proxy": {
"locked": true,
"mode": "system",
"http": "",
"https": "",
"exclude": [],
"windowsDockerdPort": 65000,
"enableKerberosNtlm": false
},
"containersProxy": {
"locked": true,
"mode": "manual",
"http": "",
"https": "",
"exclude": [],
"pac":"",
"transparentPorts": ""
},
"enhancedContainerIsolation": {
"locked": true,
"value": true,
"dockerSocketMount": {
"imageList": {
"images": [
"docker.io/localstack/localstack:*",
"docker.io/testcontainers/ryuk:*"
]
},
"commandList": {
"type": "deny",
"commands": ["push"]
}
}
},
"linuxVM": {
"wslEngineEnabled": {
"locked": false,
"value": false
},
"dockerDaemonOptions": {
"locked": false,
"value":"{\"debug\": false}"
},
"vpnkitCIDR": {
"locked": false,
"value":"192.168.65.0/24"
}
},
"kubernetes": {
"locked": false,
"enabled": false,
"showSystemContainers": false,
"imagesRepository": ""
},
"windowsContainers": {
"dockerDaemonOptions": {
"locked": false,
"value":"{\"debug\": false}"
}
},
"disableUpdate": {
"locked": false,
"value": false
},
"analyticsEnabled": {
"locked": false,
"value": true
},
"extensionsEnabled": {
"locked": true,
"value": false
},
"scout": {
"locked": false,
"sbomIndexing": true,
"useBackgroundIndexing": true
},
"allowExperimentalFeatures": {
"locked": false,
"value": false
},
"allowBetaFeatures": {
"locked": false,
"value": false
},
"blockDockerLoad": {
"locked": false,
"value": true
},
"filesharingAllowedDirectories": [
{
"path": "$HOME",
"sharedByDefault": true
},
{
"path":"$TMP",
"sharedByDefault": false
}
],
"useVirtualizationFrameworkVirtioFS": {
"locked": true,
"value": true
},
"useVirtualizationFrameworkRosetta": {
"locked": true,
"value": true
},
"useGrpcfuse": {
"locked": true,
"value": true
},
"displayedOnboarding": {
"locked": true,
"value": true
},
"desktopTerminalEnabled": {
"locked": false,
"value": false
}
}通用
| Parameter | OS | Description | Version |
|---|---|---|---|
configurationFileVersion | Specifies the version of the configuration file format. | ||
analyticsEnabled | If value is set to false, Docker Desktop doesn't send usage statistics to Docker. | ||
disableUpdate | If value is set to true, checking for and notifications about Docker Desktop updates is disabled. | ||
extensionsEnabled | If value is set to false, Docker extensions are disabled. | ||
blockDockerLoad | If value is set to true, users are no longer able to run
docker load and receive an error if they try to. | ||
displayedOnboarding | If value is set to true, the onboarding survey will not be displayed to new users. Setting value to false has no effect. | Docker Desktop version 4.30 and later | |
desktopTerminalEnabled | If value is set to false, developers cannot use the Docker terminal to interact with the host machine and execute commands directly from Docker Desktop. | ||
exposeDockerAPIOnTCP2375 | Windows only | Exposes the Docker API on a specified port. If value is set to true, the Docker API is exposed on port 2375. Note: This is unauthenticated and should only be enabled if protected by suitable firewall rules. |
文件共享和模拟
| Parameter | OS | Description | Version |
|---|---|---|---|
filesharingAllowedDirectories | Specify which paths your developers can add file shares to. Also accepts $HOME, $TMP, or $TEMP as path variables. When a path is added, its subdirectories are allowed. If sharedByDefault is set to true, that path will be added upon factory reset or when Docker Desktop first starts. | ||
useVirtualizationFrameworkVirtioFS | macOS only | If value is set to true, VirtioFS is set as the file sharing mechanism. Note: If both useVirtualizationFrameworkVirtioFS and useGrpcfuse have value set to true, VirtioFS takes precedence. Likewise, if both useVirtualizationFrameworkVirtioFS and useGrpcfuse have value set to false, osxfs is set as the file sharing mechanism. | |
useGrpcfuse | macOS only | If value is set to true, gRPC Fuse is set as the file sharing mechanism. | |
useVirtualizationFrameworkRosetta | macOS only | If value is set to true, Docker Desktop turns on Rosetta to accelerate x86_64/amd64 binary emulation on Apple Silicon. Note: This also automatically enables Use Virtualization framework. | Docker Desktop version 4.29 and later. |
Docker Scout
| Parameter | OS | Description | Version |
|---|---|---|---|
scout | Setting useBackgroundIndexing to false disables automatic indexing of images loaded to the image store. Setting sbomIndexing to false prevents users from being able to index image by inspecting them in Docker Desktop or using docker scout CLI commands. |
代理
| Parameter | OS | Description | Version |
|---|---|---|---|
proxy | If mode is set to system instead of manual, Docker Desktop gets the proxy values from the system and ignores and values set for http, https and exclude. Change mode to manual to manually configure proxy servers. If the proxy port is custom, specify it in the http or https property, for example "https": "http://myotherproxy.com:4321". The exclude property specifies a comma-separated list of hosts and domains to bypass the proxy. | ||
windowsDockerdPort | Windows only | Exposes Docker Desktop's internal proxy locally on this port for the Windows Docker daemon to connect to. If it is set to 0, a random free port is chosen. If the value is greater than 0, use that exact value for the port. The default value is -1 which disables the option. | |
enableKerberosNtlm | When set to true, Kerberos and NTLM authentication is enabled. Default is false. For more information, see the settings documentation. | Docker Desktop version 4.32 and later. |
容器代理
| Parameter | OS | Description | Version |
|---|---|---|---|
containersProxy | Creates air-gapped containers. For more information see Air-Gapped Containers. | Docker Desktop version 4.29 and later. |
Linux 虚拟机
| Parameter | OS | Description | Version |
|---|---|---|---|
linuxVM | Parameters and settings related to Linux VM options - grouped together here for convenience. | ||
wslEngineEnabled | Windows only | If value is set to true, Docker Desktop uses the WSL 2 based engine. This overrides anything that may have been set at installation using the --backend=<backend name> flag. | |
dockerDaemonOptions | If value is set to true, it overrides the options in the Docker Engine config file. See the
Docker 引擎参考. Note that for added security, a few of the config attributes may be overridden when Enhanced Container Isolation is enabled. | ||
vpnkitCIDR | Overrides the network range used for vpnkit DHCP/DNS for *.docker.internal |
Windows 容器
| Parameter | OS | Description | Version |
|---|---|---|---|
windowsContainers | Parameters and settings related to windowsContainers options - grouped together here for convenience. | ||
dockerDaemonOptions | Overrides the options in the Linux daemon config file. See the Docker 引擎参考. |
注意
此设置无法通过Docker管理控制台进行配置。
Kubernetes
| Parameter | OS | Description | Version |
|---|---|---|---|
kubernetes | If enabled is set to true, a Kubernetes single-node cluster is started when Docker Desktop starts. If showSystemContainers is set to true, Kubernetes containers are displayed in the Docker Desktop Dashboard and when you run docker ps. imagesRepository lets you specify which repository Docker Desktop pulls the Kubernetes images from. For example, "imagesRepository": "registry-1.docker.io/docker". |
开发中的功能
| Parameter | OS | Description | Version |
|---|---|---|---|
allowExperimentalFeatures | If value is set to false, experimental features are disabled. | ||
allowBetaFeatures | If value is set to false, beta features are disabled. | ||
enableDockerAI | If value is set to false, Docker AI (Ask Gordon) features are disabled. |
增强的容器隔离
| Parameter | OS | Description | Version |
|---|---|---|---|
enhancedContainerIsolation | If value is set to true, Docker Desktop runs all containers as unprivileged, via the Linux user-namespace, prevents them from modifying sensitive configurations inside the Docker Desktop VM, and uses other advanced techniques to isolate them. For more information, see
增强容器隔离. | ||
dockerSocketMount | By default, enhanced container isolation blocks bind-mounting the Docker Engine socket into containers (e.g., docker run -v /var/run/docker.sock:/var/run/docker.sock ...). This lets you relax this in a controlled way. See
ECI 配置 for more info. | ||
imageList | Indicates which container images are allowed to bind-mount the Docker Engine socket. | ||
commandList | Restricts the commands that containers can issue via the bind-mounted Docker Engine socket. |
第三步:重新启动 Docker Desktop
注意
在本地测试通过
admin-settings.json文件所做的更改,以查看设置是否按预期工作。
为了使设置生效:
- 在新安装时,开发者需要启动Docker Desktop并验证其组织身份。
- On an existing install, developers need to quit Docker Desktop through the Docker menu, and then re-launch Docker Desktop. If they are already signed in, they don't need to sign in again for the changes to take effect.
重要
从Docker菜单中选择重启是不够的,因为它只会重启Docker Desktop的一些组件。
为了不打扰开发者的工作流程,Docker不会自动要求开发者在更改后重新启动和重新认证。
在 Docker Desktop 中,开发者会看到相关设置变灰,并显示消息 已被管理员锁定。
