Away from docker.io
rgaudin opened this issue Β· comments
Docker Hub announced that all non-paying organizations will see their data deleted on April 14th (see this article). Turns out they won't delete existing public images (all our images are public) but we won't be able to publish new ones.
This has two important consequences:
- We won't be able to push to docker.io anymore
and our images won't be hosted there anymore. That would be the result of not switching to a Paid Plan. - We won't be able to build any image depending on source ones hosted on docker.io which would also be affected by this change: ie. using Free Teams Plan.
Should we pay?
No. This would only sort the first issue, which is the easiest to address and is probably a good move anyway.
Also, we don't want to support Docker Hub and their aggressive behaviors (it's the the first rude move from their part).
What needs to be done for publication?
- All our images must push to ghcr.io only.
- READMEs must be updated to point to
ghcr.io
for links and examples. - READMEs must be updated to badges independent of docker.io
- We need to communicate (social media?) that we migrated all our images to ghcr.io
- We need to delete our organization accounts (
kiwix
,openzim
) on docker.io.
Update docker workflow
Most of our repos uses our docker-publish-action.
- Use
uses: openzim/docker-publish-action@v10
. This now defaults toghcr.io
only. If update not wanted, setregistries: ghcr.io
- Remove the
DOCKERIO_*
lines incredentials
. Not mandatory but cleaner as not used anymore.
Update badges
img.shields.io doesnt have ghcr.io badges (because it requires API autehnticated/quota requests) yet. In the mean time, we have two alternatives:
Images using latest
only
[![Docker](https://img.shields.io/badge/docker-latest-blue)](https://ghcr.io/kiwix/borg-backup)
Versioned images
Use (temporarily) an external service that will most likely not handle traffic at some point
[![Docker](https://ghcr-badge.deta.dev/openzim/wikihow/latest_tag?label=docker)](https://ghcr.io/openzim/wikihow)
What needs to be done for building?
While docker stated that public images won't be deleted, some people (π) proactively delete their images from docker.ioβ¦
We probably shouldn't worry about that affecting us but it's an opportunity to assess our dependencies.
We should thus Identify all source (it can be chained) images used in all our Dockerfile for their status:
- Is an Official Docker Image? Those are safe.
- Is from a paid account or a personal or OSS one? Safe for now but heck whether available on another registry. Maybe open a ticket.
- Is from a Free Team Organization? Create a ticket to follow-up: find out migration strategy: to another registry? ghcr ? to a personnal docker.io account?
- Should it be updated (too old)? Maybe open a ticket.
Repo / image | Publication | Build Sources | Ticket |
---|---|---|---|
offspot/container-images | |||
base-httpd |
β | β
alpine:3 (DOI) |
|
captive-portal |
β | β
alpine:3.16 (DOI) |
|
dashboard |
β | β
caddy:2.6.1-alpine (DOI) |
|
edupi |
β | β
python:3.8.14-slim-bullseye (DOI) |
|
file-browser |
β | β
caddy:2.6.1-alpine (DOI) |
|
hwclock |
β | β
alpine:3.16 (DOI) |
|
kiwix-serve |
β | β
debian:bullseye-slim alpine:3 (DOI) |
|
reverse-proxy |
β | β
caddy:2.6.1-alpine (DOI) |
|
wikifundi |
β | β
debian:bullseye-slim (DOI) |
|
offspot/cardshop | |||
manager |
β | tiangolo/uwsgi-nginx:python3.8 (CU) |
|
scheduler |
β | tiangolo/uwsgi-nginx:python3.8 (CU) |
|
worker |
β | rgaudin/python-ubuntu:3.8-18.04 (CU) ubuntu:18.04 (DOI) |
|
offspot/kiwix-hotspot | - | β
mcr.microsoft.com/windows/servercore:ltsc2019 |
|
offspot/content-filter | β | β
python:3.8-slim-buster (DOI) |
|
offspot/mediawiki-docker | β | β
nginx:1.21.3 (DOI) |
|
offspot/wikifundi-{en,es,fr} | β | β
ghcr.io/offspot/mediawiki:1.36.1 |
|
kiwix/kiwix-js | β | β emscripten/emsdk:2.0.25 (CO) |
kiwix/kiwix-js#980 |
kiwix/kiwix-build | β | β
alpine:3.16 ubuntu:bionic fedora:35 ubuntu:focal |
|
kiwix/libkiwix | - | β
ghcr.io/kiwix/kiwix-build_ci_* |
|
kiwix/kiwix-desktop | - | β
ghcr.io/kiwix/kiwix-build_ci_* |
|
kiwix/borg-backup | β | β
debian:bullseye-slim (DOI) |
|
kiwix/kiwix-tools | β | β
ghcr.io/kiwix/kiwix-build_ci_* alpine:3.16 (DOI) |
|
kiwix/kiwix-js-windows | β | β
nginx:latest (DOI) |
|
kiwix/metrics | β | β
debian:buster-slim |
|
kiwix/container-images | |||
dropbox |
β | β
debian:11-slim (DOI) |
|
mirrorbrain |
β | β
httpd:2.4.43 (DOI) |
|
matomo |
β | β
matomo:4.13.3-fpm (DOI) |
|
matomo-log-analytics |
β | β
debian:bullseye-slim (DOI) |
|
openzim/surfer |
β | β
node:16-bullseye (DOI) |
|
bittorrent-tracker |
β | β
debian:buster-slim (DOI) |
|
netdata |
β | β
ghcr.io/netdata/netdata:v1.38 |
(was netdata/netdata:v1.35 ) |
kiwix/k8s | - | β
docker.io/alpine:3 docker.io/mongo:4.2.9 docker.io/mariadb:10.4 docker.io/nginx:1.21 docker.io/postgres:10.4 docker.io/postgres:11 docker.io/mysql:8-debian docker.io/bitnami/minideb docker.io/bitnami/nginx:1.21 docker.io/bash:5-alpine3.15 docker.io/varnish:7.1-alpine (DOI) docker.io/gimoh/pureftpd:latest (CU) docker.io/vimagick/rsyncd:latest (CU) β docker.io/kiwix/watcherbot:latest |
|
openzim/zim-tools | β | β
alpine:3 (DOI) |
|
openzim/javascript-libzim | - | β emscripten/emsdk:3.1.12 (CO) |
openzim/javascript-libzim#46 |
openzim/wp1 | β | β
mysql:5.7 mysql:8.0.30 redis node:lts-alpine nginx:stable-alpine python:3.9 mariadb:10.1 (DOI) jwilder/nginx-proxy jrcs/letsencrypt-nginx-proxy-companion (CU) β
ghcr.io/kiwix/borg-backup:latest |
|
openzim/zimfarm | β | β
python:3.8-buster alpine:edge python:3.10-alpine node:14-alpine library/nginx:mainline-alpine rgaudin/uwsgi-nginx:python3.8 (CU) β
ghcr.io/netdata/netdata:v1.38 (CO) |
|
openzim/mwoffliner | β
redis redis:7 (DOI) β
ghcr.io/openzim/node-redis:18-7 |
||
openzim/phet | β | β
node:18 (DOI) |
|
openzim/kolibri | β | β
python:3.11-bullseye (DOI) |
|
openzim/gutenberg | β | β
python:3.11-bullseye (DOI) |
|
openzim/nautilus | β | β
python:3.8 (DOI) |
|
openim/zimit | β | β webrecorder/browsertrix-crawler:0.8.1 (CO) |
webrecorder/browsertrix-crawler#260 |
openzim/cms | β | β
node:14-alpine library/nginx:mainline-alpine (DOI) tiangolo/uvicorn-gunicorn:python3.10-slim (CU) |
|
openzim/sotoki | β | β
redis:6.2.4-buster python:3.8-slim |
|
openzim/openedx | β | β
python:3.8 |
|
openzim/ted | β | β
python:3.8 (DOI) |
|
openzim/ifixit | β | β
python:3.8-slim (DOI) |
|
openzim/youtube | β | β
python:3.8 (DOI) |
|
openzim/wikihow | β | β
python:3.8-slim (DOI) |
|
openzim/librechef | β | β
python:3.8 (DOI) |
|
openzim/education-numerique | β | β
ubuntu:20.04 (DOI) |
|
openzim/zimit-frontend | β | β
node:14-alpine (DOI) tiangolo/uwsgi-nginx:python3.8 (CU) |
What's Next?
This is all in reaction to DockerHub's erratic behavior. We'll have all our images stored on GHCR but still depends a lot on docker.io to function⦠but it's still a major part of the Docker ecosystem and it's unlikely to go away suddenly.
Archiving is a concerned. @kelson42 mentioned on Slack that he is βnot convinced there is value in past Docker imagesβ. It means that we wont transfer any docker.io-only image to ghcr.io.
I'd like @kelson42 to use this opportunity to lay out a general Docker image policy for the versioned repos. If we believe past images are useless, then we should be responsible registry users and delete them.
We could integrate that into the docker-publish-action so it's effortless. It could be a combination of age and number of more recent versions for instance.
- We're now solely publishing all our images to ghcr.io and documentations have been adapted.
- We've removed all our images from docker.io and our two profiles now point to We're on GHCR.io.
- Most images depends on Docker Official Images
- 10 images depends on Images belonging to Community User accounts (personal accounts)
- 3 images depends on Community Organization
- zimit:
webrecorder
which planned on converting to a personal account (probably wont do it now) - kiwix-js and kiwix-js-windows:
emscripten
for some non essential scripts.
- zimit:
- docker.io back-pedaled and canceled the whole change.