Best way to provide a read-only Docker image to a private audience?

What is the best way to provide a non-official Docker image for a private audience? The members of the audience should not be able to push on the repository, only pull. Is there a way to host it with these constraints on DockerHub or do I need Docker Trusted Registry?


You can use the Docker Hub to do this. If you are using an organization, you can create a team that would include all the read-only members of your private audience. Next, you’d configure the repository to allow read only access to that team.

See for full info on how this works.


1 Like

Thanks for your reply. My other concern was that if there was a way to avoid people from redistributing their Docker images themselves once they have pulled them.

Would there be a way to avoiding people from pushing this Docker image to any other registry, or DockerHub itself?


Any software distribution mechanism that I can think of could potentially result in someone deciding to repost or republish it. There are generally several approaches that software publishers take to address this concern. They can implement some sort of DRM, or use an enforced software license.

The docker hub doesn’t include any sort of DRM features. Docker images are really little more than a tarball with a filesystem image. It is high enough level that you could potentially implement some sort of DRM system inside the image.


Hi there,

I’ve tried setting up a new org under my user ID and create a private repository though that. It wouldn’t allow me to do that, it would only let me create a private repository as the org of the user ID itself. I did that, then confirmed that my user ID was in the team “Owners” so that I’m allowed to add other user IDs as collaborators with different access levels as per the instructions (read-only, write e.t.c.) but I was only allowed to add user IDs as “Collaborator”, there was no second drop-down to select the access type or a way to change the access from “Collaborator” to something else, let’s say “read” like the screenshot provided on the instructions. Did I miss something? Or is this perhaps not a feature that is supported on a free Docker Hub account?