top | item 43127647

(no title)

rjst01 | 1 year ago

Let me give you an alternative perspective.

My startup pays Docker for their registry hosting services, for our private registry. However, some of our production machines are not set up to authenticate towards our account, because they are only running public containers.

Because of this change, we now need to either make sure that every machine is authenticated, or take the risk of a production outage in case we do too many pulls at once.

If we had instead simply mirrored everything into a registry at a big cloud provider, we would never have paid docker a cent for the privilege of having unplanned work foisted upon us.

discuss

hkwerf|1 year ago

I get why this is annoying.

However, if you are using docker's registry without authentication and you don't want to go through the effort of adding the credentials you already have, you are essentially relying on a free service for production already, which may be pulled any time without prior notice. You are already taking the risk of a production outage. Now it's just formalized that your limit is 10 pulls per IP per hour. I don't really get how this can shift your evaluation from using (and paying for) docker's registry to paying for your own registry. It seems orthogonal to the evaluation itself.

hedora|1 year ago

The big problem is that the docker client makes it nearly impossible to audit a large deployment to make sure it’s not accidentally talking to docker hub.

This is by design, according to docker.

I’ve never encountered anyone at any of my employers that wanted to use docker hub for anything other than a one-time download of a base image like Ubuntu or Alpine.

I’ve also never seen a CD deployment that doesn’t repeatedly accidentally pull in a docker hub dependency, and then occasionally have outages because of it.

It’s also a massive security hole.

Fork it.

themgt|1 year ago

I don't really get how this can shift your evaluation from using (and paying for) docker's registry to paying for your own registry

Announcing a new limitation that requires rolling out changes to prod with 1 week notice should absolutely shift your evaluation of whether you should pay for this company's services.

gcapu|1 year ago

If you offer a service, you have some responsibility towards your users. One of those responsibilities is to give enough notice about changes. IMO, this change doesn't provide enough notice. Why not making it a year, or at least a couple of months? Probably because they don't want people to have enough notice to force their hand.

popalchemist|1 year ago

It's bait and switch that has the stakes of "adopt our new policy, that makes us money, that you never signed up for, or your business fails." That's a gun to the head.

Not an acceptable interaction. This will be the end of Docker Hub if they don't walk back.

withinboredom|1 year ago

Yes. But they are paying for this bandwidth, authenticated or not. This is just busy work, and I highly doubt it will make much of a difference. They should probably just charge more.

atkailash|1 year ago

[deleted]

londons_explore|1 year ago

> take the risk of a production outage in case we do too many pulls at once.

And the exact time you have some production emergency is probably the exact time you have a lot of containers being pulled as every node rolls forward/back rapidly...

And then docker.io rate limits you and suddenly your 10 minute outage becomes a 1 hour outage whilst someone plays a wild goose chase trying to track down every docker hub reference and point it at some local mirror/cache.

wat10000|1 year ago

I mean, don’t build your production environment to rely on some other company’s free tier, and then act surprised when they throttle high usage.

And yes, you’re still using the free tier even if you pay them, if your usage doesn’t have any connection to your paid account.

rad_gruchalski|1 year ago

> If we had instead simply mirrored everything into a registry at a big cloud provider, we would never have paid docker a cent for the privilege of having unplanned work foisted upon us.

Indeed, you’d be paying the big cloud provider instead, most likely more than you pay today. Go figure.

zmgsabst|1 year ago

I’d you’re using popular images, they're probably free.

https://gallery.ecr.aws/docker/?page=1

orochimaaru|1 year ago

They should have provided more notice. Your case is simply prioritizing work that you would have wanted to complete anyway. As a paying customer you could check if your unauthenticated requests can go via specific outbound IP addresses that they can then whitelist? I’m not sure but they may be inclined to provide exceptions for paying customers - hopefully.

rjst01|1 year ago

> Your case is simply prioritizing work that you would have wanted to complete anyway

It's busy-work that provides no business benefit, but-for our supplier's problems.

> specific outbound IP addresses that they can then whitelist

And then we have an on-going burden of making sure the list is kept up to date. Too risky, IMO.

cpuguy83|1 year ago

This was announced last year.

fennecbutt|1 year ago

So it goes. You're a business, pay to make the changes. It's a business expense. Docker ain't doing anything that their agreements/licenses say they can't do.

It's not fair, people shout. Neither are second homes when people don't even have their first but that doesn't seem to be a popular opinion on here.

jdhendrickson|1 year ago

Devsec/ops guy here, the fact that you were pulling public images at all ever is the thing that is insane to me.

rjst01|1 year ago

Why? We are running the exact same images that we would be mirroring into and pulling from our private registry if we were doing that, pinned to the sha256sum.

cyanydeez|1 year ago

You can setup your own registry. You're complaining about now having to do your own IT.

this isn't a counterpoint is rewrapping the same point: free services for commercial enterprise is a counterproductive business plan

vv_|1 year ago

How can you make Docker pull debian:latest from your own registry instead of the official Docker registry, without explicitly specifying <my_registry>/debian:latest?

josteink|1 year ago

> If we had instead simply mirrored everything into a registry at a big cloud provider

You would have had to authenticate to access that repo as well.

rjst01|1 year ago

Amazon ECR for instance provides the option to host a public registry.

a022311|1 year ago

`mirror.gcr.io` works fine for many popular images on Docker Hub.

lowercased|1 year ago

Wouldn't they get a choice as to what type of authentication they want to use then? I'd assume they could limit access in multiple ways, vs just the dockerhub way.

jjfanboy|1 year ago

I just cannot imagine going into public and saying, roughly the equivalent of I want free unlimited bandwidth because I'm too lazy to do the very basics of managing my own infra.

> If we had instead simply mirrored everything into a registry at a big cloud provider, we would never have paid docker a cent for the privilege of having unplanned work foisted upon us.

I mean, if one is unwilling to bother to login to docker on their boxes, is this really even an actual option? Hm.

SSLy|1 year ago

> mirrored everything into a registry at a big cloud provider

https://cloud.google.com/artifact-registry/docs/pull-cached-...

dbalatero|1 year ago

You might try complaining and see if they give you an extension.