Closed josegonzalez closed 1 year ago
Yeah the email is very confusing as it suggests only access to private repos will be suspended while public repos are not, but everything will end up being deleted in May regardless if public or not. The "FAQ" also has the heading "Private Repos FAQ" so is not relevant at all for free teams that only use public repos.
Seems like there's a big assumption in that email that everyone using teams are companies with money and private stuff rather than a group of OSS developers.
The whole thing seems super rushed without much consideration and have just left people confused. The links in the FAQ aren't even clickable.
I want to second the fact that this email raises many more questions than it answers. I have a Free Team organization that's use to distribute public Docker images for an OSS project. If "all data will be deleted", does this include our public images?
It seems like no one knows what is happening: https://news.ycombinator.com/item?id=35154025
I maintain the OSS project for the mambaorg/micromamba image, which is currently using a free Team account.
My reading is that if you are accepted into Docker's open source program, then you get a free Team account (that I'm guessing isn't going to get purged). I just applied to this program and Docker says they try to process applications within 30 days. However, Docker indicates they currently they are receiving a high volume of applications. If my application isn't approved in 30 days, then it will be after the Teams purge date and my images will go away. These images are commonly used in CI pipelines and those pipeline are going to break if the images are removed from Dockerhub. I'd really like to see Docker commit to fully processing all applications to their open source program before purging teams.
Hi folks, than you for your feedback!
Docker has a specific DSOS program for open-source projects, and it is not affected by the sunsetting of Free Team plans. We are listening to feedback and may offer additional programs in the future.
We will defer any organization suspension or deletion while DSOS application is under review, and give organizations at least 30 days before we suspend the organization if the application is ultimately rejected.
Any organizations suspended or deleted will not release the namespace, so squatting previous namespaces will not be possible.
Thank you and please keep the open feedback coming!
@yavorg thanks for the update. Can you clarify exactly what will happen if we don't upgrade to a paid plan and also don't make it into the DSOS program? Will all our public images truly be deleted?
The fact that the DSOS program excludes commercial OSS really stings considering that Docker itself is commercial OSS! Payment for me, not for thee; I guess I'm only allowed to make a living from "tips".
Considering that docker hijacks the top level for docker commands, this change will likely results in a lot of broken images and malicious images. For us, a small company that is not OSS, it's just not worth paying 300$/y just to publish a public image. We might have considered it a smaller price point or used the personal namespace but now we can't "downgrade" so this is just a shit move from Docker.
Hey @yavorg we applied years ago to the DSOS and never received and answer after the first follow-up. I am very concerned about https://hub.docker.com/u/trion where we publish Angular images with >10mio pulls in sum
Similar story here for the Rocky Linux images in the rockylinux
namespace. We had applied for the OSS program years ago and heard nothing. We applied again a few months ago after prompting but have similarly not heard anything from that application, either.
Same thing with the OSU Open Source Lab and the Cinc project. I just applied for the OSS program for both but no idea if that will pan out or not based on the comments above.
It sad to see that we're going to loose our namespaces because of this. Converting the existing organisations to a free personal account would fit us best, but we'll just move our images to other container registries I guess.
Docker has a specific DSOS program for open-source projects, and it is not affected by the sunsetting of Free Team plans.
Might be worth adding this to the FAQ as I was unaware this existed, and I seem to not be alone in that.
The timeline of this, the lack of communication, the lack of a stepped migration path, all tell me that Docker is not an organization to be relied upon, and that I need to reduce my exposure to this company for my projects as fast as I possibly can.
I knew this would happen, but didn't prepare for it, my bad.
My main concern is squating. As a kubernetes admin for big orgs, if we don't get strong comitment from docker about this, I think I'll forbid the use of hub.docker.com it would be easier.
I recommend you to take this squating issue seriously if you don't want docker name to be associated with dramatic events. (In my opinion this squating thing can become a serious industrial catastrophe).
@pierreozoux It was mentioned before by @yavorg that squatting wont be possible.
Any organizations suspended or deleted will not release the namespace, so squatting previous namespaces will not be possible.
An additional plan for small developers would be greatly appreciated. Forcing us into a 5 user / $300 minimum spend for a few public images for our own users is excessive. Why can this not be a 1 user minimum at $5/month?
That would keep me, otherwise moving to GHCR
The @racket project submitted our application to the DSOS program in July of 2021 and we have never heard anything back.
The messaging around this is very confusing. At face value, this seems to indicate the free tier will fully disappear, but the FAQ and documentation only talks about private images. We're only using this to publish public images for OSS projects.
Please clarify what's going to happen to public-only images.
Never heard of the DSOS program before, I applied and got a positive answer in less than fifteen minutes so it may be worth a shot.
The lack of communication does not inspire confidence for the future though
Never heard of the DSOS program before, I applied and got a positive answer in less than fifteen minutes so it may be worth a shot.
It's worth mentioning that the DSOS program isn't really fitting many OSS usage cases. The form is not relevant for organization publishing more than one project for instance. It's also demanding information like "company" or "job title", as if the OSS organization is in fact a company employing people, which won't match many OSS organizations out here.
I haven't filed a DSOS request because I have no idea what to fill for most of the fields.
I haven't filed a DSOS request because I have no idea what to fill for most of the fields.
I tried, despite the mismatch you mentioned. However, Docker even fails to count to 30 correctly.
I wonder if it might be time for we the community just host its own registry without these restrictions and problems.
I submitted a DSOS application for rpki-client (portable) on July 7th, 2021, answered all questions (sent by the "Docker Marketing Team" via e-mail) – and never heard back from them after July 12th, 2021 (where a "Marketing Intern Docker, Inc." confirmed that they received my answers and would come back to me with a decision).
I also would like to remark that I'm using Docker Hub only to publish public images (but actually for multiple projects in different Docker Hub organisations), which have been built outside (using GitHub Actions). And this is mainly because Docker Hub itself didn't support enough architectures at the time when I evaluated this somewhen in 2020.
Being able to convert the organization accounts into personal single-user free accounts with the same name and images would be a reasonable solution for most of what I maintain, I think.
I'm also affected by this - like many other projects here, I'm only using Docker hub to publish public images within a org namespace (no private images, no builds, no other team members).
These images are widely used by others, referenced in all sorts of docs & CI builds, and embedded in software running all over the place, so implying that all these images will stop being accessible in 30 days is a massive problem.
I'm running a tiny open-source project but with some income (just enough to make development sustainable with one developer) which means it seems I'm not allowed into the open-source scheme either.
At least keeping existing public images available for more than 30 days would be a huge help for migration here (maybe that's already going to happen regardless, but the current messaging is very unclear on this).
Being able to convert my organization account into a personal single-user free account with the same name & images would be a reasonable solution imo (if these were the rules in the past, that's probably what I'd set up now).
Alternatively, allowing closed organizations to set up automated redirects to hosting elsewhere would help, so that references to all the existing images don't break. I could very easily host these images on GHCR for free, or run my own public hosting indefinitely for far less than $300, but doing that now doesn't solve my problem because the existing Docker hub URLs are widely used all over the place already.
Also similar to others, I have a couple of single-user orgs used only to publish public images from public, open source github projects, and would love to be able to just switch them to single-user free accounts. At this point my plan is to migrate new versions to be published on ghcr but I'd rather not lose the historical images.
It would be nice if there were some way to have a redirect from our old orgs/repos to their new locations, and similarly provide a helpful error message for CLI pulls, to aid downstream migrations.
Hey folks, Our use of Dockerhub is to host a "test image" which doesn't do anything beyond store some files in a couple of layers. We haven't updated it in years and we mostly use the image to test the open source project. According to DSOS, we can only make use of Dockerhub if the image is in "active development". We are planning to move it to GHCR but I'd like to ask here if there is some alternative place within Dockerhub we could move it to. cc: @rnjudge
Not every open source project can be or will be onboarded to docker open source thing. Why don't you at least "downgrade" these account into personal account or even free public only "org" tier? I can't imagine what kind of horror it would create.
Speaking for the Zeek project, we also applied for DSOS a long time ago and never heard back. We're on the Free Team tier. We started dual-pushing to Docker Hub and AWS ECR a while back, out of concern over Docker Hub's long-term viability.
Docker has a specific DSOS program for open-source projects and it is not affected by the sunsetting of Free Team plans.
The program is extremely discouraging. Besides being a long and confusing form for its purpose, the prospect of any compensation (such as consulting) immediately rules you out. Most OSS projects take years to profit (if ever) and such a black and white criteria contradicts open source support.
We are listening to feedback and may offer additional programs in the future.
When in the future? After our accounts have been terminated and containers deleted? Please understand that part of the issue is vague communication, and this does not help us confused or discouraged by the current messaging.
Finally, I would speculate many of the OSS maintainers have Docker organizations because our communities asked us to. As soon as those images are removed, there will be a wave of users and companies with broken deployments, leaving the OSS teams and Docker to deal with the upcoming fall out.
One of my projects was rejected by this program late 2020. As part of the rejection, Docker staff told me by email:
Data egress is a large operational expense for Docker, which we can not continue absorbing. We are asking our users to share in some of this cost. We are making an exception for 'science experiment' open source projects, because we are committed to growing development communities.
Any Open Source which is created/funded by employees of a company would likely have this same result:
Since X is funded by a commercial entity, we can not include it into the Open Source program, and provide these images with the namespace whitelisting included with this program.
I haven't looked recently but at the time, the program included some "marketing" requirements which I think would make many feel uneasy.
We are faced with a similar situation as Testcontainers, which is a pure OSS project, but has AtomicJar as a commercial entity building products related to the OSS project.
One of our main components currently hosted at Docker Hub (ryuk
) has 100M+ pulls. We were given the Sponsored OSS
badge when Docker started to introduce pull rate limiting, but since I received this email as well, I expect us to loose this badge now. When applying for the new OSS program, we got a rejection similar to what @rarkins has shared.
While paying for a team plan would be totally fine for us, this would still leave Testcontainers users potentially facing the pull-rate limits, which might (especially on CI), lead to failing builds for our users. This means we are now faced with looking into alternative hosting solutions, that mitigates this situation.
I can understand Docker wanting to cover the egress costs, but I find the messaging and pricing around this very unclear.
We face the same problem as the FreeIPA project. We were offered to join DSOS program when it was announced in December 2020. However, that communication was a black hole: apart from the original automated response from applying to the program, no communication has happened until November 2022 when Docker proposed to re-apply as the application form was streamlined.
We are not using private repositories for builds and don't even use much of Docker hub ourselves. Our users do rely on those images, though. 5M pulls are probably not much compared to other projects but this is still a sizable amount of use.
We're facing the same issue with the LocalStack project. We were also offered to join the DSOS program in the past, and have submitted our application in the meantime (hoping for a timely review and approval 🤞).
We've also participated in some co-branding together with the Docker team (e.g., a recent blog post about our Docker Desktop Extension).
Losing access to Docker Hub for our open source community would be a huge bummer, 😕 and would certainly affect thousands of users in their day-to-day work using the LocalStack Community image. Any support would be highly appreciated! 🙌
Affected here too, it feels like a mob move to be honest...
But the main problem is that it will affect negatively the whole community as a bunch of images will just stop working which will lessen the value of dockerhub (and docker TBH) as a reliable way to distribute and execute software.
At the very very least you need to support redirects for repositories that get closed.
We relaunched the Docker-Sponsored Open Source program in September 2022 (blog post here). Since we made significant changes to the qualification criteria (we removed the limitation of not being able to have commercial funding for your project), we emailed all projects who applied the to Docker-Sponsored Open Source program prior to September to invite them to reapply with our new review process. If you did not receive that communication, there may have been gaps in email deliverability. I encourage everyone to apply to the Docker-Sponsored Open Source program using the updated application form and criteria.
Additionally, thank you for the feedback on the submission form. We are using your suggestions to inform how we can bring more clarity to the Docker-Sponsored Open Source program and ultimately serve the open-source community as best we can.
@Bkblodget As far as I can tell, the prohibition of commercial funding is still in place:
Not have a pathway to commercialization. Your organization must not seek to make a profit through services or by charging for higher tiers. Accepting donations to sustain your efforts is permissible.
Perhaps there's a distinction between "pathway to commercialization" and "commercial funding" that I'm missing?
We relaunched the Docker-Sponsored Open Source program in September 2022 (blog post here). Since we made significant changes to the qualification criteria (we removed the limitation of not being able to have commercial funding for your project), we emailed all projects who applied the to Docker-Sponsored Open Source program prior to September to invite them to reapply with our new review process. If you did not receive that communication, there may have been gaps in email deliverability. I encourage everyone to apply to the Docker-Sponsored Open Source program using the updated application form and criteria.
Additionally, thank you for the feedback on the submission form. We are using your suggestions to inform how we can bring more clarity to the Docker-Sponsored Open Source program and ultimately serve the open-source community as best we can.
I applied again for the Rocky Linux project yesterday and did not receive even a confirmation email that my application was received.
Is there some way to know for sure if our application went through?
Others I spoke with received a new ticket confirmation email, along with acceptance within 15 minutes. As near as I can tell, I am not missing any emails nor have issues with deliverability.
I think it's pretty clear people, if you are an OSS project use another alternative like Quay, ECR, GHCR or any of the many others. Docker has been lining itself up to be friendly to corporations only for quite sometime. You must pay to use Docker Desktop, you must pay to have a Org and you must pay to have reduced rate limits. Please stop feeding them if you are an OSS project, just let them wither out and die as the dinosaur they are committed to being. They haven't innovated in years and yet want to charge people for features that used to be free. This should be a warning for anyone thinking of ever using anything created by Docker.
@yavorg, thanks for the response so far. I want to touch upon what you wrote here:
Any organizations suspended or deleted will not release the namespace, so squatting previous namespaces will not be possible.
How long will namespaces not be released? 1 year? 3 years? Indefinitely? If a team deletes their own namespace within the next ~30-60 days, will those namespaces be protected in the future from squatting, also meaning that other legitimate organizations cannot re-use those namespaces in the future?
It's crucial that Docker Hub has plans in place to prevent bad actors from hijacking namespaces that have been "lost" due to teams not converting permanently. Failing to do so could have severe consequences for environment security, as it clearly creates a prime opportunity for bad actors to serve compromised containers to consumers. This could result in thousands of organizations falling victim to cyber-attacks, leading to data breaches, financial losses, damages to reputation.
Given the gravity of the situation, it's imperative that Docker Hub makes clear what actions will be taken to prevent such scenarios. As other folks have stated, the risk and threat vectors makes me believe that blocking hub.docker.com
and docker.io
is the right choice for my organization/team. The security of the entire ecosystem Docker has built is at risk, and any delay or inaction could have disastrous consequences.
How do I identify if an image, such as https://hub.docker.com/r/bitnami/kafka, is at risk of disappearing?
Edit: FWIW, I'm also looking for the answer over in the Docker forum
I don't see any comments from solo, indie, hobbyist developers who are also going to be affected by this.
I have a team with a single user (me) for organizational purposes. I don't use any of the team features. I'm simply using it as an organizational namespace in a manner similar to many of the other comments here. In fact, I haven't pushed any images to it. I use a self-hosted registry, but I want the option of using Docker Hub to publish public facing images using the namespace since I have the matching namespace everywhere else.
I can't (pragmatically) pay $300 per year for a 5 user team to keep my namespace, but this tweet makes me worried that if I don't pay there's a risk I'll lose it permanently.
when we remove accounts we do not free up the namespace so squatting is not possible.
That's better than having it squatted on, but it's still detrimental to me. I deleted an old team I don't use to test and the namespace did not become available (within 30m). I'd be very disappointed if the Docker Hub namespace that matches every other service I use ended up becoming unusable.
Please consider offering some more palatable alternatives for people with light usage (like me) who are primarily trying to maintain a consistent namespace across services. If every service I use starts asking for $300 per year for an organizational namespace the reality for me is that I'll lose control of the brand / identity I use for development.
Any organizations suspended or deleted will not release the namespace, so squatting previous namespaces will not be possible.
Not to be harsh: this just makes it sound like this move is nothing more than a push for $, to remove a previous useful feature used for organization for public users. I have a user account and I have an org account under my user because I push my images under my org, my hostname, not my username, i.e. it's [hostname]/imageName not [username]/imageName.
I do not understand the reason for this change. What's the logic behind it? All I can see is this will make Dockerhub less useful for those who are simple hobbyists that want to maintain images under our hostnames. As a developer, a db architect, I cannot understand why you would need to do this.
As the previous comment right above me: I have a single org with a single user - me. It's my hostname, and my hobby images. That's it. I have this on all my code sites: Github, Gitlab, Bitbucket, Dockerhub. So far, Dockerhub is now the only one that's going to .... well .... force me to leave since I won't pay a team price just for me.
This feels like a blatant attempt to push users into a subscription tier.
Another thing I don't think brought up is what if you are squatting on a name and Docker takes it away because you didn't pony-up and pay them. Now what if you want to start using it again? Will Docker be competent enough to release the name back to you?
@guice
What's the logic behind it? All I can see is this will make Dockerhub less useful for those who are simple hobbyists that want to maintain images under our hostnames.
That is the exact reason why they are doing this, Dockerhub is no longer friendly to small-mid FOSS projects. They have been trending this way for years. Unless you are a big organization (but really, even if you are), stay clear of anything Docker related including Mirantis.
@guice @onedr0p: The reason for this change is simple: Docker, as a company, has to make money. This means reducing costs (bye free teams tier) and generating income (now you gotta pay for it). If they don't make money, they can't maintain a free service for anyone at all. We must want Docker to succeed if we want to keep using their services for free.
From a different perspective, on top of improving a lot the open source sponsoring program, they could have planned and communicated this much better to avoid the current situation. My suggestions are to implement the following, among many other possibilities:
@onedr0p Docker has underwritten the network and storage costs for many FOSS projects for many years. It is fair for them to want cover their costs. If you aren't following the changes to buildkit, it is understandable you don't see the innovation.
What most of us are upset about are:
There are certainly FOSS projects out there taking advantage of the free tier and costing Docker big money. There are far more hobbyist and small projects caught in the blast radius. The OSS option from Docker is also unclear and makes it seem that most early stage projects will not qualify.
Docker: Please be clear in your communications and clarify what is happening with the miscommunication that caused this issue to be risen. Comments here and on twitter are not sufficient to reach most people impacted by this. SEND ANOTHER EMAIL
For anyone planning on migrating away from Docker Hub and deleting/abandoning their free-tier teams, I've (quickly) put together a script to help anyone shuffle containers from docker.io
to a new target registry in bulk. Tested it in a couple of my environments, worked fine so far.
crane copy
is probably better for most people: https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane_copy.md
goharbor.io mirroring is better for more complicated or bulk requirements: https://goharbor.io/docs/2.1.0/administration/configuring-replication/create-replication-endpoints/
edit: This page helped me work through multi-arch image migration
crane copy
is probably better for most people: https://github.com/google/go-containerregistry/blob/main/cmd/crane/doc/crane_copy.mdgoharbor.io mirroring is better for more complicated or bulk requirements: https://goharbor.io/docs/2.1.0/administration/configuring-replication/create-replication-endpoints/
@verdverm Almost definitely. Had some weird performance issues with Crane before, and skopeo
seems to work just fine, but I don't disagree 🙂
From what I gather from this is as follows, there is no downgrade path from free team to personal account, ultimately with single person teams, there isn't any real difference between a personal account and a team that only uses public images. The main difference is being able to manage multiple namespaces under 1 account (which can be achieved currently with multiple personal accounts). So essentially what Docker is doing is holding users with Free Teams hostage, until they pay up. If that was not the case, then you wouldn't also offer free personal accounts, right? Or offer a downgrade path
@yavorg, I appreciate the opportunity to address the recent announcement regarding the discontinuation of free company teams on Docker. While I understand that businesses need to adapt and evolve, I am concerned about the potential impact this decision may have on the open source community and the trust placed in Docker.
To clarify, I am not opposed to change or the introduction of reasonable limitations and pricing. However, I believe that abruptly discontinuing free namespaces for company teams may adversely affect smaller open source projects that have relied on these services.
The open source community thrives on trust and collaboration. Trust is essential, and once it's compromised, it can be challenging to regain. There have been instances where companies altered their terms or pricing structures, which led to a decline in trust and, ultimately, a loss of users.
To foster a closer relationship with open source projects, I would like to propose some alternative solutions:
In conclusion, I understand that Docker must make decisions for its growth and sustainability, but I hope you will consider the implications for the open source community. By working together, we can find a solution that benefits everyone and maintains the trust that has been built over the years.
Thank you for your attention to this matter, and I look forward to seeing how Docker continues to support and engage with the open source community.
Problem description
I got an email saying that I'll need to convert from a free team to something paid. I use Docker hub solely for images related to the Dokku organization. I don't see a way to convert the namespaces - dokku and gliderlabs - to regular accounts. Both use public repositories exclusively, and are only used for supporting the OSS organizations.
Ideally we can convert them to regular accounts that I can log into, as I don't see anything either org benefits from. A second useful change might be to allow OSS orgs to continue to access docker hub teams for free, but I'm sure thats not where docker hub wants to go, pricing wise.
EDIT: I looked at the Docker Sponsored Open Source program and applied. It seems there is going to be a long wait (I applied this morning, and got that message then too). It's not super clear why I'm being asked for work-related information for an OSS project (Dokku is in no way related to my day job). What will happen if I'm not verified in time for the deadline in question, especially if I haven't even been notified I'm in review?
Debug Information
Browser name and version:
All
URL:
N/A
Timetamp or time range:
N/A
Public IP:
N/A
Hub Username:
dokku and gliderlabs
Error messages (on screen or in browser console)
N/A
Screenshots of the issue (if applicable)
N/A
Task List