Mastodawn

I had an interesting conversation with some #Docker executives on Friday, in which they highlighted some changes to their terms of service / business model. TL;DR: enterprises are now expected to pay for a full Docker subscription for *any* access to any "Docker Platform" features, including Docker Hub, regardless of pull rate.

So, for example, if you're a company with > 250 employees or > $10M revenue, and you have a Linux box pulling one open source image a week from Docker Hub, you must buy a Docker subscription for that box. And any others.

Previously, their website verbiage was focused solely on usage of Docker Desktop by enterprises.

If you are an #OpenSource maintainer and you're publishing container images on Docker Hub, they are monetizing your images, and they're doing so via a flat monthly rate regardless of consumption level. (IMHO that rate is too high, but YMMV, I guess)

This is obviously their prerogative. Really my only request/suggestion to Open Source maintainers who publish container images would be to consider also publishing them on GitHub's container registry (aka GitHub Packages) or any other registry, rather than single-sourcing with Docker Hub.

Ross Grady Jul 27, 2024

Assuming they actually provide me with the formal legalese that I asked for, I'll write up a longer blog post at some point in the next week or so. I absolutely don't want people to feel like they have to take my word for anything!

Jeff Martin Jul 27, 2024

@rossgrady I had always wondered who was paying for Docker Hub. Insane amounts of storage and bandwidth isn't cheap. I guess now we know the answer probably was just VCs.

Simon Willison Jul 27, 2024

@rossgrady if I'm running a Docker image that starts "FROM python:3.12-slim" it pulls from Docker Hub (via a local cache) any time I run "docker build", right?

Am I supposed to be paying for that? There's no authentication involved for me at the moment

Rachael L Jul 27, 2024

@simon @rossgrady if you pull too frequently it notices and fails telling you to login (presumably if your network address is stable). Found this out after joining a team not using a private container registry for "base" images and so debugging problems that involved rebuilds resulted in frequent pulls. Fortunately we were too small still for them to demand payment.

Simon Willison Jul 27, 2024

@r343l @rossgrady almost all of my builds happen on GitHub Actions runners, maybe they have their own caching proxy

dreid Jul 27, 2024

@simon @r343l @rossgrady docker has a deal with circleci to not require everyone to auth.

There is probably a similar deal with GHA.

Rachael L Jul 27, 2024

@dreid @simon @rossgrady Yeah unfortunately the docker builds I had issues with were local ones (for reasons that are tedious to relate and not ideal).

Ross Grady Jul 27, 2024

@simon IF you are doing so as part of your job and IF you are employed by a company with > 250 employees and/or > $10M in annual revenue, then yes, apparently so, per a policy change that is not (yet) well documented.

wtfismyip Jul 27, 2024

@rossgrady Seems an acquisition by Oracle would be great with the same business model!

njsg Jul 29, 2024

@wtfismyip @rossgrady This.
My reaction was "... I was not aware Docker was part of Oracle".

njsg Jul 29, 2024

@wtfismyip @rossgrady New Docker, Inc. org chart can be found here, bottom right:

http://web.archive.org/web/20140718062944if_/http://www.bonkersworld.net/images/2011.06.27_organizational_charts.png

(from http://web.archive.org/web/20140716043552/http://www.bonkersworld.net/organizational-charts/, by Manu Cornet, CC by-nc-nd 3.0)

AdrienBufort Jul 27, 2024

@rossgrady I like the fact that podman already anticipate the change (the default address is not docker.io for pulling) : podman clearly saw that thing coming

Matthias Jul 28, 2024

@rossgrady as someone who’s corp is forking over lots of money to Docker, I can tell you the experience is shit. They recently started enforcing their rate limits in a way that we’re getting 429s left and right. There‘s always some process that pulls Docker images where we can’t figure out how to give it the proper credentials so it doesn’t run into the rate limits. 🤷‍♂️

rwa Jul 29, 2024

@rossgrady
"TL;DR: enterprises are now expected to pay for a full Docker subscription for *any* access to any "Docker Platform" features, including Docker Hub, regardless of pull rate."

Is there some sort of official statement one can link to?

Ross Grady Jul 29, 2024

@rwa Right now the closest any of us can find is the wording change (actually like 20 months old) at the very bottom of the pricing FAQ: https://www.docker.com/pricing/faq/

"Do I need a paid subscription to use the images on Docker Hub for commercial use?"

"Images on Docker Hub can be used for commercial use, as long as Docker Desktop is properly licensed. Paid subscriptions are needed for commercial use of Docker Desktop at organizations with more than $10 million annual revenue OR more than 250 employees."

However, I have asked them to give me something more formal, such as a revised TOS or subscription agreement. Still waiting . . .

Docker FAQs | Docker

Find answers to the most frequently asked questions about Docker pricing, licensing, commercial use, and more.

Docker

rwa Jul 29, 2024

@rossgrady thanks, looking forward for an update on this from the Docker folks

Mark Gardner Jul 29, 2024

@rossgrady You really think that #GitHub won’t try to monetize #container image hosting if they become the next default?

Either they’ll do as you say #Docker is doing and demand subscriptions, or they’ll figure out a way to train #AI with your images and sell them back to you and your competition.

Just as in “publishing” content to centralized social media, the only long-term hedge is self-hosting. But then we’ll need an image crawler and search engine, and we know how that game went.

Ross Grady Jul 29, 2024

@mjgardner In my case, my focus for this discussion is <dayjob>, and I already pay GitHub a LOT.

But yes, I agree, that from an open source perspective, the answer is a fully distributed model with something that looks more like DNS to index/find images.

Mark Gardner Jul 29, 2024

@rossgrady #Container images are usually already served over HTTP with DNS lookups. Why not leverage that, perhaps with an #IANA-registered Well-Known URI (#RFC8615) for finding the images served by a site? https://iana.org/assignments/well-known-uris/

/cc @mnot @ietf

Well-Known URIs

tyil Jul 29, 2024

@[email protected] So what is the impact for smaller companies or regular people?

consider also publishing them on GitHub's container registryAh yes, the other proprietary platform owned by a megacorporation trying to squeeze society for everything it can get away with. If you want to avoid these kinds of situations, consider using free software solutions. Learn from this mistake.

Ross Grady Jul 29, 2024

@tyil IMHO smaller companies and regular people should probably read that article that has been floating around & ask themselves whether they really get value out of containerized workloads in the first place, or whether they are paying a complexity tax in order to do a thing that really only adds value at cloud scale. :)

Ben Hutchings Jul 29, 2024

@rossgrady So it sounds like Docker Hub is now a commercial distributor. That would mean they're obliged to provide sources for all the GPL software included in hosted container images (instead of being able to point to whoever uploaded the image). Also as a commercial operation they would have higher liability for copyright infringement.
But I'm sure they've thought of that and figured out compliance for the totally undocumented assemblages of random software that they redistribute... right?

Ross Grady Jul 29, 2024

@bwh 🤪

Ross Grady Jul 29, 2024

@bwh it’s funny, I just spent wayy too much time going back and forth with another bundler/redistributor of open source in the Python world, trying to get contractual clarity around what was their product and what was just the upstream open source packages. I’d say based on that experience that this is still largely an unsolved problem, at least when it comes to former open source companies now trying to monetize :)

mirabilos Jul 30, 2024

@rossgrady I’d be surprised if that were so. Otherwise one would have to manually accept these terms before being able to pull an image, like Letsencrypt clients require manual terms acceptance. Without that, users can use the clients (e.g. the old one as packaged in Debian) and never know about that, and they did offer the service to the public for like forever, so customary access may still be assumed I’d think.

Ross Grady Jul 30, 2024

@mirabilos This is scoped to enterprises with > $10M in annual revenue or > 250 employees.

I can tell you from experience that they have sufficient data analytics skills to at least loosely associate IP ranges and/or email addresses associated with Docker Hub IDs back to their related enterprises.

(Not very accurately, but enough to result in email contact attempts. Large numbers of them.)

mirabilos Jul 30, 2024

@rossgrady right, but I assume the onus is on them to communicate that to me-as-an-employee first, or at least to someone in the company who’d then disseminate the info.

Ross Grady Jul 30, 2024

@mirabilos They have a long track record of posting changes to their website and asserting that as binding. It *is* still worthwhile to push back, though. With the changes to the Docker Desktop license, they treated the download of v4 as a click through EULA. You’re right that just continuing to download as always is a slightly different case.

If I were them, I’d eliminate anonymous pulls entirely. But I’d never want to be them . . .

mirabilos Jul 30, 2024

@rossgrady yeah but I wouldn’t download that, I install the command line tools from Debian.