Container image "piracy"

Apologies for the “sensational” topic! Maybe, this is covered elsewhere in a different manner.

Consider the following commands.

  1. docker pull hello-world
  2. docker tag hello-world accuontId.dkr.ecr.ap-south-1.amazonaws.com/demo/hello-world:latest
  3. docker push accountId.dkr.ecr.ap-south-1.amazonaws.com/demo/hello-world:latest

Thus, I have now moved hello-world from one registry to another and opened a ‘secondary market’ where I can ‘sell’ hello-world from another registry keeping the original registry out of the loop.

How do we protect against this kind of copying?

How do you protect anything that you can download from the internet? Everything could be downloaded and uploaded to another website. As softwares, Docker images can have a license, but it doesn’t stop anyone from sharing the image somewhere else and claiming that the image is theirs. Most of the images are public and can be used as base image. If I have just one additional environment variable, I could share it as a new image. Of course, I would also share what the base image was and what I added to it. I mean this is exactly what I do and I don’t even need to push it to a different registry.

You could implement your own licensing strategy and allow only registered users to use the image, require activating it somehow, but I can’t tell you how. You can also add metadata to the image as labels so whoever pulls the image and inspects it can see you as a maintainer for example. Of course if someone really whants to steal your work, labels can be changed by using the original image as a base image. docker history would show you the old LABEL instructions too, but history can be changed too.

Even if you hide your image behind a paywall that requires to agree to an end user contract that forbids sharing or reverse engineering of the image (=legal consequences), it would be hard to actually detect a breach of contract if they reverse engineer your image and build their own, or use your image as cache image during build and copy content from it when building their own image.

Dockerhub allows publishing images that require buying. I am not sure if re-taging and pushing it works as it would use the image layers from the paid image, or if people that didn’t pay for the image will be able to pull the re-tagged image. Same situation if someone uses your paid image as a base image… are the paid layers still protected? I have no idea. It is nothing I’d want to test.

So, how does one monetize container images? Give the image for free and charge for services? I am seriously asking how do vendors make money out of container images.

Dockerhub allows publishing images that require buying. I am not sure if re-taging and pushing it works as it would use the image layers from the paid image, or if people that didn’t pay for the image will be able to pull the re-tagged image. Same situation if someone uses your paid image as a base image… are the paid layers still protected? I have no idea. It is nothing I’d want to test.

Can you please point me to the relevant documentation?

You might want to get in touch with the Docker Hub support about this: https://hub.docker.com/support/contact