diff --git a/contrib/completion/bash/docker b/contrib/completion/bash/docker index 781bf8f647..79209c2941 100644 --- a/contrib/completion/bash/docker +++ b/contrib/completion/bash/docker @@ -1969,6 +1969,7 @@ _docker_daemon() { local options_with_args=" $global_options_with_args --add-runtime + --allow-nondistributable-artifacts --api-cors-header --authorization-plugin --bip diff --git a/contrib/completion/zsh/_docker b/contrib/completion/zsh/_docker index 316caf5d43..0860907839 100644 --- a/contrib/completion/zsh/_docker +++ b/contrib/completion/zsh/_docker @@ -2603,6 +2603,7 @@ __docker_subcommand() { _arguments $(__docker_arguments) \ $opts_help \ "($help)*--add-runtime=[Register an additional OCI compatible runtime]:runtime:__docker_complete_runtimes" \ + "($help)*--allow-nondistributable-artifacts=[Push nondistributable artifacts to specified registries]:registry: " \ "($help)--api-cors-header=[CORS headers in the Engine API]:CORS headers: " \ "($help)*--authorization-plugin=[Authorization plugins to load]" \ "($help -b --bridge)"{-b=,--bridge=}"[Attach containers to a network bridge]:bridge:_net_interfaces" \ diff --git a/docs/reference/commandline/dockerd.md b/docs/reference/commandline/dockerd.md index 5f28f6f21c..93774c841b 100644 --- a/docs/reference/commandline/dockerd.md +++ b/docs/reference/commandline/dockerd.md @@ -23,6 +23,7 @@ A self-sufficient runtime for containers. Options: --add-runtime runtime Register an additional OCI compatible runtime (default []) + --allow-nondistributable-artifacts list Push nondistributable artifacts to specified registries (default []) --api-cors-header string Set CORS headers in the Engine API --authorization-plugin list Authorization plugins to load (default []) --bip string Specify network bridge IP @@ -828,6 +829,32 @@ To set the DNS search domain for all Docker containers, use: $ sudo dockerd --dns-search example.com ``` +#### Allow push of nondistributable artifacts + +Some images (e.g., Windows base images) contain artifacts whose distribution is +restricted by license. When these images are pushed to a registry, restricted +artifacts are not included. + +To override this behavior for specific registries, use the +`--allow-nondistributable-artifacts` option in one of the following forms: + +* `--allow-nondistributable-artifacts myregistry:5000` tells the Docker daemon + to push nondistributable artifacts to myregistry:5000. +* `--allow-nondistributable-artifacts 10.1.0.0/16` tells the Docker daemon to + push nondistributable artifacts to all registries whose resolved IP address + is within the subnet described by the CIDR syntax. + +This option can be used multiple times. + +This option is useful when pushing images containing nondistributable artifacts +to a registry on an air-gapped network so hosts on that network can pull the +images without connecting to another server. + +> **Warning**: Nondistributable artifacts typically have restrictions on how +> and where they can be distributed and shared. Only use this feature to push +> artifacts to private registries and ensure that you are in compliance with +> any terms that cover redistributing nondistributable artifacts. + #### Insecure registries Docker considers a private registry either secure or insecure. In the rest of @@ -1261,6 +1288,7 @@ This is a full example of the allowed configuration options on Linux: "default-gateway-v6": "", "icc": false, "raw-logs": false, + "allow-nondistributable-artifacts": [], "registry-mirrors": [], "seccomp-profile": "", "insecure-registries": [], @@ -1330,6 +1358,7 @@ This is a full example of the allowed configuration options on Windows: "bridge": "", "fixed-cidr": "", "raw-logs": false, + "allow-nondistributable-artifacts": [], "registry-mirrors": [], "insecure-registries": [], "disable-legacy-registry": false @@ -1361,6 +1390,7 @@ The list of currently supported options that can be reconfigured is this: - `runtimes`: it updates the list of available OCI runtimes that can be used to run containers - `authorization-plugin`: specifies the authorization plugins to use. +- `allow-nondistributable-artifacts`: Replaces the set of registries to which the daemon will push nondistributable artifacts with a new set of registries. - `insecure-registries`: it replaces the daemon insecure registries with a new set of insecure registries. If some existing insecure registries in daemon's configuration are not in newly reloaded insecure resgitries, these existing ones will be removed from daemon's config. - `registry-mirrors`: it replaces the daemon registry mirrors with a new set of registry mirrors. If some existing registry mirrors in daemon's configuration are not in newly reloaded registry mirrors, these existing ones will be removed from daemon's config. diff --git a/man/dockerd.8.md b/man/dockerd.8.md index 6a12d3f165..a4e079074f 100644 --- a/man/dockerd.8.md +++ b/man/dockerd.8.md @@ -7,6 +7,7 @@ dockerd - Enable daemon mode # SYNOPSIS **dockerd** [**--add-runtime**[=*[]*]] +[**--allow-nondistributable-artifacts**[=*[]*]] [**--api-cors-header**=[=*API-CORS-HEADER*]] [**--authorization-plugin**[=*[]*]] [**-b**|**--bridge**[=*BRIDGE*]] @@ -116,6 +117,20 @@ $ sudo dockerd --add-runtime runc=runc --add-runtime custom=/usr/local/bin/my-ru **Note**: defining runtime arguments via the command line is not supported. +**--allow-nondistributable-artifacts**=[] + Push nondistributable artifacts to the specified registries. + + List can contain elements with CIDR notation to specify a whole subnet. + + This option is useful when pushing images containing nondistributable + artifacts to a registry on an air-gapped network so hosts on that network can + pull the images without connecting to another server. + + **Warning**: Nondistributable artifacts typically have restrictions on how + and where they can be distributed and shared. Only use this feature to push + artifacts to private registries and ensure that you are in compliance with + any terms that cover redistributing nondistributable artifacts. + **--api-cors-header**="" Set CORS headers in the Engine API. Default is cors disabled. Give urls like "http://foo, http://bar, ...". Give "*" to allow all.