A casual security evaluation revealed that all of the 20+ processes in the quay.io registry container run as real root. Worse, the system has no authentication for image uploading allowing -anyone- clobber any existing image. Auth only exists for reading images which is entirely backwards. Requests for to patch these and other holes myself were denied.
Don't even get me started on general instability or that on a failed build it would hang and never accept new ones without a manual container restart.
Had to pull the plug on the whole thing and replace it with a few git hooks and a vanilla docker registry... Which has been simple and rock solid.
1. You have big rectangular elements that represent repositories, but 90% of that rectangle is dead space. Apply the click event to the whole rectangle, not just the title of the repo.
2. As a user, I am solely a member of an organization. I don't need to see a dashboard with just 3 starred project, 3 random projects from my org, and 3 of my personal projects (of which there are 0). Just let me start at my org's page, or let me see every project from my org on the dashboard.
3. Wtf is the "list view" link on my dashboard? It appears to just show me 3 random projects out of the 9 in my organization, and completely hide the "starred" and "personal" sections?
Bugs:
1. Until recently, the Sign Out link 100% always threw an HTTP 500 error. Today, that is not happening? Who knows. Weird.
2. My IT guy created an account for me. As a result, I received an email with a login link. However, 24 hours later, I was logged out and could not log back in, because I never had a password set. Had to get the IT guy to send me another welcome email. IF PEOPLE NEED TO SET UP A PASSWORD, YOU SHOULD FORCE THEM TO, NOT HOPE THEY EVENTUALLY POKE AROUND AND FIND THE SET PASSWORD SCREEN.
Hopefully, this changes things.
More than 50 container images and I need to "Contact Sales" for an Enterprise contract? Really?
In a world where we routinely ship 0.x tools to production, it may feel a bit peculiar to see 2.0 as being the first 'production ready' version for Docker's suite of tools, but that very well may be the reality.
Then they modernised the UI and its just like ... Terrible. I have no more words for how much of a step backwards the latest UI is compared to the original one.
Now we use quay.io and it's much easier and faster.
It recently hit GA and is super fast. You can use it from anywhere -- not just GCE.
(Disclaimer: I used to work at Google on GCE/GKE/Kubernetes).
/dream
Let's not dream, let's get started! A few challenges (list gets longer every day, some asymmetric features), but I think it's a great idea. Since it's got to be grown/updated constantly, where should it live, maybe a github page? Benchmarks is pretty close via this: https://github.com/GoogleCloudPlatform/PerfKitBenchmarker I'm interested; what parts do you think you could contribute? It strikes me as a thing that's far more valuable if the community does it.
That said, I find myself wishing that Amazon would contribute more back to the Docker project (specifically the registry in this case), and then provide a hosted option with IAM integration, etc.
The existing AWS ecosystem is already enough for me to want to stay with them, but I'd say the Docker ecosystem is fragile enough that it could use some bolstering just to keep it viable and ensure Amazon's investments don't go down the tube if something better comes along.
If you are the market leader, lock in is your strategy; Hence the launch of so many new AWS services.
Google's play with Kubernetes is to reduce the dependency on proprietary cloud features. They are betting they can deliver better/faster/cheaper cloud services when compared to AWS. It should be interesting to watch, and great for us consumers of cloud services.
Both Google and Amazon will hugely benefit just by making the internet more ubiquitous (all roads lead to Rome). Google seems to realize that providing great open-source tools and systems is a good way to bolster their business. Amazon, on the other hand, provides great infrastructure but doesn't seem to be incredibly interested in anything that doesn't increase lock-in.
the more AWS provides, the more it does right, the more locked in you are in AWS. At some point everything will be AWS with zero commit back to any other project - stall.
In fact when we reach that point it's going to be difficult for AWS to provide new things since everything AWS does is basically provide open source tools with a scaling, programmable deployment AND management model (basically what open source tools usually lack).
Kinda scary when you think of it for too long.
Doing this today requires a fair bit of extra infrastructure over a basic v2 registry, and really it'd be much nicer to have a single service that was able to manage this.
0: https://blog.docker.com/2015/08/content-trust-docker-1-8/
- Replay attack prevention
- Freshness guarantees (so you can't be given older, vulnerable images)
- Trusted, delegated signing
This is typically when they release stuff
AWS ECR: $0.10/GB-month (+ data transfer)
quay.io: $12/month - cheapest plan (5 repos)
docker.com: $7/month - cheapest plan (5 repos)
https://aws.amazon.com/ecr/pricing/ https://quay.io/plans/ https://www.docker.com/pricing
