ENGDOCS-3081

[aevesdocker]

High-level info about Docker Desktop networking.
Preview: https://deploy-preview-23626--docsdocker.netlify.app/desktop/features/networking/

Follow-up tasks:

• add diagrams?
• tidy up/freshen https://docs.docker.com/desktop/features/networking/
• Fix upstream link

[netlify]

✅ Deploy Preview for docsdocker ready!

Name	Link
🔨 Latest commit	21e464a
🔍 Latest deploy log	https://app.netlify.com/projects/docsdocker/deploys/690232dbc4ffcf0008616d5d
😎 Deploy Preview	https://deploy-preview-23626--docsdocker.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[djs55]

Thanks!

IMHO the most confusing part is the interaction with settings e.g. if using WSL 2 or virtiofs the file access is handled differently; if using Linux the network proxy is different. Maybe a later extension could be to positively recommend particular configurations e.g.

• on Windows: use Hyper-V: com.docker.backend.exe does networking + filesharing
• on Mac: use virtualization.framework and gRPC FUSE: com.docker.backend does networking + filesharing
• on Linux: the file access is performed by virtiofsd and the network by qemu (<-- I think we should simplify that in the product)

[djs55]

One could argue that "air-gapped containers" includes a kind of firewall. Maybe drop this comment to avoid having to bring air-gapped containers into the discussion (for now)?

Suggested change

Docker Desktop doesn't include a built-in firewall.

[djs55]

I think it's possible in theory to install the agent inside the VM, but it's difficult to do in practice because the VM is not persistent, so after a restart it will be gone.

Suggested change

	CrowdStrike and similar tools can observe all traffic and file access that passes through the backend process. To monitor in-VM operations, install the agent inside the Docker VM.
	CrowdStrike and similar tools can observe all traffic and file access that passes through the backend process.

[djs55]

Maybe avoid this one for now while we consider how practical it is

Suggested change

| Endpoint agent inside VM | Yes | Full visibility |

[djs55]

Strictly speaking this depends on the exact filesharing tech in use. It's safest to limit to gRPC FUSE (Windows HyperV and Mac for now)

Suggested change

	- A file server, using gRPC FUSE which handles file access from containers to the host filesystem.
	- A file server, if using gRPC FUSE which handles file access from containers to the host filesystem.

[djs55]

Should we add a filesharing caveat here, that it only does this if using gRPC FUSE (not virtiofs or qemu)?

[djs55]

Unfortunately the network proxy is in a different place by default on Linux, maybe

Suggested change

	- A network proxy, translating traffic between the host and Linux VM.
	- A network proxy (on Mac and Windows, for Linux use `qemu`), translating traffic between the host and Linux VM.

Or we could reference the note at the bottom about Linux (or maybe the note is enough?)