Hacker News new | past | comments | ask | show | jobs | submit login
Docker is sunsetting Free Team organizations [pdf] (docker.com)
233 points by axelfontaine on March 14, 2023 | hide | past | favorite | 107 comments

Whats phenomenal about this so far is that the email does not indicate:

    - what actually will happen to teams that don't become paid
    - what will get deleted on which timeline
    - whether others will be able to typosquat the images after the teams get deleted
    - how folks might handle cases where a team is owned by an oss org and has no central billing thing (fairly common)
    - how we might better handle bot users as part of paid teams
Also great is that the only way I'd know this was going on is by checking my email - I quickly went to their blog to look and didn't find anything relating to this email.

If anything, I'd want to convert my teams (dokku and gliderlabs) _back_ to single accounts, but there doesn't seem to be a way to do that.

I get that there is a need to make the company profitable but maybe spend more than 5 minutes crafting the email and thinking of outcomes for your users (who are already pissed at your pricing changes). This only makes me feel like I should move my hosting to something paid (ECR?), delete the org, and then typosquat the images.

Maybe I'm cynical, but in leaving so many critical information points out, Docker appears to be fear mongering organizations into paying for a subscription. If they provided answers to all these points, then orgs would be able to make a logical decision. By leaving these questions unanswered, orgs are incentivized to move to paid just to avoid any unknown consequences.

I have an idle team to hold a namespace for brand protection / to prevent squatting on the namespace that matches my GitHub organization.

Since the Docker daemon defaults to using Docker Hub, this feels like a dirty move to me. If I want 2 members to ensure someone can always control that namespace, do I have to pay $240 per year now?

I’d pay $20 per year for that since it helps prevent large scale squatting, but $240 per year under the threat of deletion feels like extortion.

GitHub Container Registry is a decent option for orgs, open source and private. I believe it's free to host public images and private images are just tied into your GitHub billing.

Except that the docker cli defaults to the https://hub.docker.com registry.

Meaning if you do

    docker pull rust
it'll get it from https://hub.docker.com/_/rust

Then there are namespaced things, for example your new product, mattrick/awome-flobbergator

How to install? Docker.

    docker pull mattrick/awome-flobbergator

    Using default tag: latest
    Error response from daemon: pull access denied for mattrick/awome-flobbergator, repository does not exist or may require 'docker login': denied: requested access to the resource is denied
Every time someone needs to prefix it with ghcr.io to make it pull from GitHub.

We shouldn't do

1) default registries

2) when we post documentation online we should be explicit as to what the registry is

This is all part of docker's master plan.

You can see it with more clarity here:


or here:


so redhat's podman clone of docker allows this:


Utterly confusing messaging from Docker once again, and this is from a prior advocate for early Docker, and part of their Captains program for several years.

The wording seems clear that they are going to delete all data and lock access unless payment is received within 30 days, whether there are public or private repos in the organisation.

I pay for a personal account, however my main concern is people taking over the official account names and publishing poison images which people are used to pulling already, and won't even think to check if the account ownership has changed.

I've asked the CTO to comment on Twitter.


> however my main concern is people taking over the official account names and publishing poison images

The PDF has been updated to address that:

> Can someone else “squat” my namespace?

> No. Even if your organization is suspended, deleted, or you choose to leave Docker voluntarily, your organization’s namespace will not be released, so other users can’t “squat” your images.

That's exactly why I have a "teams" account on Docker, we had previously posted Images for an OSS project to the hub, but migrated to a different repository later on. We still push public images there, but, we tell everyone to use the new repo for upgrades/new installs. How frustrating.

Everyone who has a "Free Team organization" just received the following email:

> Docker is sunsetting Free Team organizations

> Free Team organizations are a legacy subscription tier that no longer exists. This tier included many of the same features, rates, and functionality as a paid Docker Team subscription.

> After reviewing the list of accounts that are members of legacy Free Team organizations, we’ve identified yours as potentially being one of them.

> If you own a legacy Free Team organization, access to paid features — including private repositories — will be suspended on April 14, 2023 (11:59 pm UTC). Upgrade your subscription before April 14, 2023 to continue accessing your organization.

> If you don’t upgrade to a paid subscription, Docker will retain your organization data for 30 days, after which it will be subject to deletion. During that time, you will maintain access to any images in your public repositories, though rate limitations will apply. At any point during the 30-day period, you can restore access to your organization account if you upgrade to a paid subscription. Visit our FAQ for more information.

Basically giving everyone ~30 days to migrate their data (to another host or paid Docker plan) or lose access to it.

As a funny side-note, the PDF seems to have been made so you cannot copy-paste text out from it, so no interactivity. But that also means that the "How much does a Docker subscription cost?" doesn't actually have any information about how much a subscription cost, and the link to the page doesn't work. Great work Docker Inc.

I really don't understand the move. No way open source collectives will be able to pay the 300$/y minimum cost for an organisation and there is no way to convert an organisation back to a user. I expect there will be a lot of broken pulling of images on that day.

Gitlab registry is maybe the easiest way out of this, either payed or self-hosted using the community version.

GitHub container registry has no limitations for public projects, unlike GitLab.

No limitations for now.

That could be said of any free container registry out there...

Exactly. Software development is in the middle of a clash with reality. It's just not sensible to expect to pay nothing for a piece of vital infrastructure.

100% agreed. Donate to cURL!

I've been publishing all of my open source containers on GHCR for this exact reason.


I thought there were size limits for the entire account?

> GitHub Packages usage is free for public packages.


Gitlab registry is utterly annoying with it's confusing namespacing. Would use github oder anything else tbh.

Cachix is adding a free tier for FOSS projects. Drop Docker; move to Nix.

Unless they're exposing oci images, that solves a completely different problem

(Don't get me wrong, I like nix, but it's nothing like a drop in replacement for a container-based workflow)

Minimum paid teams subscription is $300/yr. I use free teams and will be switching to GitHub or somewhere else because of how short notice this was. Docker really shit the bed on this one.

How will they ever survive without you using the service for free...

It's more than free users leaving. I have 2 orgs on Docker Hub, one is paid for my company's private images for our products and services, the other is an org for free images we maintain and give to the community.

With this change we'll have to move the free org somewhere else... If we do that we may as well move the paid org too. So now they're losing out on revenue, because I'm not splitting my stuff between two different registries. We'll just migrate to a new one and that registry will get our paid team too.

I'm sure losing any one free-user is inconsequential and even advantageous per free account they rid themselves of.

BUT, there's a massive brand-value to being the place, and the company that everyone goes to.

Losing that status is something they might not survive, especially in the user-hostile manner they are acting. The hate-your-user approach works only if there are no alternatives and competitors who would like to eat your lunch (github, gitlab).

Their (mostly free) users are the only asset they have. They didn't invent container technology, they made a nice interface that popularized it. That's fine, they did a good job, but it seems like they are getting funding on the premise that they're somehow going to be able to get money out of everyone running linux containers.

What services does Docker actually provide? You don't need a crystal ball to know hosting image tarballs is going to be a very low margin business, even if you have the HUGE advantage of baking your URL into the client.

And once you kill that goose, even if it only lays copper eggs, it's not coming back. Once users don't use docker.io, what relevance will the Docker client have?

People use dockerhub, become familar with it and then recommend it. I used to use dockerhub and recommend it at my workplaces, and we did indeed buy subscriptions.

Now I don't use it and actively recommend a competitor. Indeed it seems more and more companies will stop using it.

Potato potato. Like it or not, they ditched a bunch of free loaders and likely turned a significant number of them into paid customers (at least until they have time to migrate).

Big corporate players were already paying, so from a MBA penny counting move, it is brilliant.

More likely they disrupted their users and now people are switching off them and hedging against the risk of docker doing disruptive things.

They aren’t quite Novell/SCO levels of dumb, but it’s sad to see such a good company spiral into nothingness.

And organizations that don't switch, will begrudgingly pay up to avoid impacting their users, but will be left with a sour taste as they've essentially been blackmailed into paying. There's no way they're turning these orgs into long-term customers. Especially now when there are plenty of alternative image hosts.

I don't get why they couldn't charge by usage, or have more granular tiers. For small teams and projects $300/yr is not an insignificant amount.

What a tonedeaf and greedy decision, communicated in a terribly unclear way.

The cost difference between projects must be enormous.

Some comments in this discussing refer to projects with many millions of hits.

Mine has 5000. A free tier with 10GB of image storage and some small number of pulls per month would be fine.

Just like Amazon released Finch as a response to the conversion of Docker Desktop to pay-only software, no doubt one of the big players will take advantage of this too.

The aggressive data retention requirements for the Docker client was the last straw for a lot of enterprises.

The big corp I work for has looked for self-hosting alternatives after their pricing move. There was nothing in Docker actually locking us in them, it was just convenient. I for one haven't touched any official Docker stuff for a while now, free alternatives fill the gap pretty well.

It is brilliant, until it's not, I'm very sure they are trying to squeeze as much as they can from the cash cow before it dies, there's almost no reason to actually pay Docker for what it is, and they lost the support from the techies who championed them 10 years ago after these pricing changes. I was one of them, had been using Docker since pre-1.0 days...

> I for one haven't touched any official Docker stuff for a while now, free alternatives fill the gap pretty well.

DockerHub still seems to have the most images out there and is what many people reach for when they need to run some pre-built image.

I have my own Nexus which acts as a caching proxy and is also where I upload my own custom container images to use on my own servers, but that sort of setup probably isn't for everyone.

Also, Docker Desktop still seems to be the most popular way to run containers in Windows, unless something like Podman Desktop or Rancher Desktop seem stable enough for you.

Rancher Desktop has been rock solid for my use cases for at least the last year or so.

> from a MBA penny counting move, it is brilliant.

while slowly killing their brand one cut at a time.

What brand? Yes, they developed and popularized the container workflow, but what does Docker the company have to offer me? Container registry? I can get that at a number of providers who will do their best to offer an API compatible service.

> What brand? Yes, they developed and popularized the container workflow,

The name of their company is synonymous with container technology, because they made a nice UI. I think it's fair to say they have a brand.

> but what does Docker the company have to offer me? Container registry? I can get that at a number of providers who will do their best to offer an API compatible service.

That's exactly how they're killing their brand. Maybe it would be better to say they are failing to keep their brand relevant.

Spending decisions aren't always made by penny-pinchers. Sometimes it's inertia, not disrupting the status quo, dance with who brung ya, avoiding work, a hundred reasons why groups of people transition from a free plan to a paid plan with the same company over time if the company hasn't given them a sudden, dramatic, stressful reminder that they need to shop around and always be ready to switch to whoever gives them the best deal.

Docker wants to be a sticky default, not a commodity that has to compete with ECR and GCR on cost and features.

Going from $0/yr to $300/yr is a significant kick in the pants, at least for solo devs.

they have a $60/yr plan that does concurrent builds and allows near-daily vuln scans. sure there are better options out there but i find it hard to believe someone who needs more than that isn't getting $20/mo of value from it (that costs what, somewhere around 5 to 15 minutes of work?)

Docker: We're making 100 million/year in revenue and everyone is treating us as the trusted place to work with docker images--we're a huge success!

"For our next act, let's hold their images hostage and threaten to kill them in 30 days unless they pay a ransom!"

I mean, it's ok to hate your users, but maybe just don't make it so obvious?

FYI, there is now an issue on Docker's GitHub to ask questions and comment on, per Docker's CTO




key takeaways

> Any organizations suspended or deleted will not release the namespace, so squatting previous namespaces will not be possible.

If deleted organizations are not released, does that mean there's no road to getting the namespace back if an organization decides 2-3 years down the road to return to Docker?

This issue bit me on Gmail.

I feel like once you have registered a namespace you should always be able to reclaim it using the same communication medium in use when it was active.

Maybe I'm not thinking deep enough on the issue though?

good question, I'd ask on the GH issue

It seems to be a habit at Docker to give incredibly short notice before service shutdowns: See the 2018 shutdown of some Docker Cloud services which had a two month notice period ( https://news.ycombinator.com/item?id=16665130 )

I got bit by that back then as a commercial customer and sent a complaint to them. Response was an offer for tickets and travel to a just upcoming Docker Con. Well, thanks but no thanks. I don't need to go to their conference when I'm busy migrating my org to a different service provider.

The information not included in the title is that Docker-the-Company is only shutting down DockerHub private free registry container image hosting.

Presumably the publicly accessible DockerHub projects can continue, business as usual.

Are there alternative docker registry hosts which provide free private image hosting?

Edit: I found a gist with an extensive list!


It's really unclear but from this paragraph in the email it sounds like the whole organization will be "subject to deletion":

> If you don’t upgrade to a paid subscription, Docker will retain your organization data for 30 days, after which it will be subject to deletion. During that time, you will maintain access to any images in your public repositories, though rate limitations will apply. At any point during the 30-day period, you can restore access to your organization account if you upgrade to a paid subscription.

I just got the same email, and am a bit confused on that point. The FAQ makes it sound like it's about private repos, but from the email the scope appears to be broader:

[edit: email removed to reduce noise since it appears elsewhere in these comments: https://news.ycombinator.com/item?id=35154060]

If you look pricing table of Docker, https://www.docker.com/pricing/

There is no Teams for free tier. Likely everything is affected.

Does this mean DockerHub is going to stop hosting all the open source container imahes?

That'd be a great way to make Docker-the-company 100% irrelevant. I hope we're misunderstanding and they wouldn't do such a move.

Personally, when they introduced rate limits couple years ago, Docker became irrelevant for me already, and I have moved into GitHub and Quay.

We will see what will happen.

am surprised Docker is relevant as they have been openly hostile to the open source community for a long time... the community that made them...

the sooner everyone moves on from docker and let it fade into the history book the better the ecosystem will be

Docker as the default librarian of images due to the root namespace hijack in docker clients has a duty of care to maintain trust. A policy of preventing namespace reuse for 1 year before recycling should give time to prevent poisoned images squatting on popular handles.

It has to be a never type of deal, people use images way older than a year, especially the ones most likely to be hit by poisoning

At this point I stay far away from anything Docker Inc. Podman already has an architecture that makes way more sense on Linux. There are plenty of free alternatives for image registries, but self hosting is also super easy (I mean why not just run a registry container and be done with it).

I thought Podman attempts to mimic Docker behavior as close as possible?

What is different in its architecture exactly?

The primary difference is you’ll attempt to use Podman and begrudgingly go back to Docker after banging your head debugging SELinux.

Ha! My experience exactly, although I have to admit that this was for personal use at home where my patience is usually thin to non-existent. Docker CE on the home server saved me a lot of aggravation, where podman got me wondering if virtual machines were really that bad... Net effect is that I'm back on docker, plus two vm's I stood up during podman's interregnum.

Are you guys the kind of terrible devs who do chmod 777 everypath you walk into? I guess you also put your user account in the docker group.

chmod is much better documented than the vague errors (which are silent or displayed as I/O errors) that podman "gives" you.

No, I usually use sudo with a slightly extended timeout.

The endless war of usability and security

By default Podman doesn't have a daemon running as root, although you can opt into it. Podman instead really encourages setting up systemd units to keep your images running.

Podman is very different internally than Docker. It might mimic commands and OCI image standard, but other things are quite different.

Docker is daemon-based and and Podman is not. Podman uses SELinux by default with additional features and other practices for better security. You can use it without root user.

A primary difference is no server component running as root.

I work for a non-profit scientific research organization and we pay for a DockerHub Team subscription. It's where we host almost all of our images. But we also had a small Free Team that was used for one project just to put it in a different namespace, which we now have to scramble to move somewhere. It doesn't make any sense to double our costs just for that one project.

This move by Docker does not inspire any confidence in their long-term management, and will very likely drive us away from DockerHub entirely. It's really sad to watch this company fall from grace. I was an early adopter and always rooted for them from the very beginning.

Does anyone have any recommendations on how to preseve the paths of public images on organizations that used to be on the Free Team plan? It doesn't look like it allows you to select the Docker Personal plan (the only free one) for organizations, does that mean the image identifier of these images will need to change or can I convert an organization into a personal account somehow?

At the moment, there seems to be no way back. The page to convert an individual user account to an organization account (at https://hub.docker.com/settings/convert) explicitly states:

> To use organization features, convert your account from a User to an Organization.

> You can't undo this action.

Delete and recreate the account?

Does Docker reserve the namespace of deleted accounts/orgs?

EDIT: I seem to have answered my own question... https://forums.docker.com/t/how-can-i-delete-old-previous-ac...

Does anyone know if any deals/exemptions exist for Open Source?

Don’t want all my images for github.com/pion/webrtc to not be available, but paying is a bit much.

I think Docker Inc really doesn't want to host images for free anymore. The best way forward might be to mirror your images to other services.

It is understandable, considering the traffic costs they must have.

However I don't see how that game play will work out, considering that each cloud provider got their registry, which ties better to the cloud platform, each code hosting site (GitHub, gitlab) have their registry, which ties to their CI offerings ... why should anybody pick Docker Hub, which is another commercial contract and ties in, in a worse manner?

We publish openfaas images to ghcr.io and have no complaints. GitHub has had a rough time of it lately with numerous outages, but overall the registry is solid.


> Not have a pathway to commercialization. Your organization must not seek to make a profit through services or by charging for higher tiers. Accepting donations to sustain your efforts is permissible.

You only get help if you live in poverty without any path to being paid for your time and work. Tips are "permissible"

Unlike Docker Inc. of course, which is free to build a billion dollar business on top of free software tools like Linux, LXC, libvirt, etc.

Codeberg can host them, I suspect.. I know Docker (Had) a FOSS program at one point, too.

Running your own gitea/forgejo is an option, as they can host packages as well

maybe quay.io?

Does quay.io have a free tier? FAQ says public repos are free, but it doesn't have free tier.

For anyone who needs a replacement container registry, doesn't mind self-hosting, checkout Project Quay[1]. It is a free, open-source, container registry. Primarily developed by Red Hat. It has a complete and well documented API[2]. And, in general has great documentation[3].

[1] https://www.projectquay.io/

[2] https://docs.projectquay.io/api_quay.html

[3] https://docs.projectquay.io/use_quay.html

DigitalOcean offers a single repository for free.


I think docker is potentially just another example of service that can change terms and leave you in the lurch. Imho we are entering a time where portability and the ability to control your own destiny is going to be very important. That means when you do commit to a provider, or host, make sure you can move off. Maybe use methods that mask the end user from back-end provider changes or shenanigans, etc.

Thanks Docker for accelerating the migration to podman and github's container registry.

I think most, if not all, open source software I use that recommends Docker install has shifted to GitHub packages these last year or two (frigate and mautrix as an example). I won’t be surprised if this accelerates this transition.

We just got this as well. All we're using it for is to have a namespace for public repositories, but the email doesn't say anything about whether or not those will be kept around.

Anyone can deploy and run a selfhosted registry server, I fail to see a problem here. It's even better to keep your team's private images off Docker servers.

Despite the title of the FAQ, this is not just about private repos, it's about public ones too. Having to change the path to public repos (which could reside in different documentation, third-party tutorials, scripts, etc.) within 30 days is a reasonable thing to feel disrupted by.

Yeah. I don't host anything on their repo, but now I have 30 days to go through all every Docker image I use and check if they have moved. This is extremely disruptive for me (and something I'll remember next time I'm considering something offered by Docker Inc or dependent on them).

Consider it a wake up call that you should have been doing that on a regular basis already.

Has Docker ever garantied that if a project closed is account another hostile one wouldn't be able to reuse the name? Outside of name takover, you could have been pulling abandonned non updated images for weeks/months without knowing it.

I set up a private mirror of everything I use from docker hub because I came home from vacation one day recently to discover that my home IP had been throttled for days.

Now I have a small GitHub Action project that mirrors from hub.docker.com to a private registry running on fly.io. Took all of 10 minutes to set up and now I don't have to worry about getting throttled or docker hub going away.

What would be the simplest/best selfhosted registry to self-host? I'm using the one from DigitalOcean, but I might self-host if there's a nice recommendation.

The simplest is probably the registry image: https://docs.docker.com/registry/

The best (automated cleanup, permissions management etc.) in my opinion is something like Sonatype Nexus: https://hub.docker.com/r/sonatype/nexus3/ which also handles various other formats, not just OCI containers.

Others might also suggest looking in the direction of Harbor: https://goharbor.io/ but it's a bit more complex.

Here's an approximation (slightly outdated, but close enough) of how I run my own Nexus instance: https://blog.kronis.dev/tutorials/moving-from-gitlab-registr...

Thank you!

got this email for a small open source project I had.

Not having a lot of users yet, so not sure I'll bother with the Docker Open Source Program which takes time to apply and wait for manual review. Also the email and faq doesn't mention the existence of Docker Open Source Program, which is seems a sign of no guarantee that rule won't change again.

Wondering which would be better alternative, Codeberg vs Github CR?

It depends on which one you use for coding!

My biggest concern is the use of the local application. I don't _think_ that is affected but we'll see. I don't currently log in at all on the local application, will they start requiring you to login to even use the application?

We keep our repositories on AWS ECR, so we don't need it on Docker.

Is there any progress on podman for Windows or any other way of running containers on Windows? I cannot wait for the day theejder development community doesn't need to rely on anything from this company.

You can install podman on ws2.

It's fairly common for dev tool hosts to not provide team features for free. Every time something comes up lately about Docker, it's anti-favorable, I don't get it. They freakin' let us self-host our own container registry if we want and explain it in detail: https://docs.docker.com/registry/deploying/

Instead of pay us or get deleted, why don't they create another free tier for public repos only to support OSS?

Switch to FileCoin for hosting where you can donate your laptop as a hosting ressource.

We need a distributed registry for things like this, something like Bittorrent.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact