Skip to content(if available)orjump to list(if available)

The Deletion of Docker.io/Bitnami

The Deletion of Docker.io/Bitnami

127 comments

·August 28, 2025
Visit

asmor

> However, in order to sustain and support the dedicated team of engineers who maintain and build new charts and images, a subscription will be required if an organization needs the images and charts built and hosted in an OCI registry for them.

This is such a naive take. Bitnami images were a sign of goodwill, a foot in the door at places were the hardened images were actually needed. They just couldn't compete with the better options on the market. This isn't a way to fix it, it's extortion. This is the same thing Terraform Cloud did, and I don't think that product is doing so hot.

> Essentially, Bitnami has been the Jenkins of the internet for many years, but this has become unsustainable.

It's other people's software, so it's very rich of Bitnami to accuse anyone of freeloading when their only contribution is adding config options to software that maybe corresponds to a level 2 on the OperatorFramework capability scale[1] - usually more of a 1.

[1]: https://operatorframework.io/operator-capabilities/

pst

You're not wrong. They add miniscule value. But what does that say about the people using these images who are now struggling to replace them?

darkwater

> It's other people's software, so it's very rich of Bitnami to accuse anyone of freeloading when their only contribution is adding config options to software

I'm not going to defend a corporation but this sentence feels very entitled. They were providing it for free, you could use it. They are not going to provide it for free anymore, you migrate to something else or self-maintain it and say "thank you for the base work you did I can use now"

ownagefool

Aye, It's a bit like saying you can't sell your code, because you wrote it in someone elses software.

Writing a decent Dockerfile isn't hard, and keeping it maintained and working with new versions is still work and it's past the wheelhouse of very many people. It's entirely reasonable to want paid for that effort.

That said, it's not work I personally value enough to put my hand in my pocket, and that's a fair take too.

throw__away7391

When a project is abandoned, when updates are slow, when features people want are not being released, when tracking upstream dependency updates are delayed, sure, you are not entitled to anything and I’ll be the first one to say get off your butt and contribute. In the other hand when you engage with the community for years under an OSS/free context then once the community has invested in your project, learning it, creating learning resources for it, integrating it into their own projects, and you never communicated your intention to “wait until it gets big then then pull the rug” it feels like a disingenuous bait and switch. The reason it feels that way is because it is a disingenuous bait and switch. This is even more so the case when you built your project on top of other projects.

I have no problem using a paid product or service or paying for support on a OSS product, but will never pay one of these bait and switch scams a dime, no matter how much engineering effort it takes.

debarshri

Building Infrastructure company is challenging in 2025. Previously, you would prioritize traction among developers over focusing on revenue.

But that does not work in 2025. You are expected to make money from the get-go and are left with only enterprise customers and boy, that category is hard, as everyone is competing for that slice.

esseph

The outcomes of this behavior will be devastating and the problems will last for generations.

Maken

Most of these companies and technologies won't last that long.

philipallstar

Why?

imiric

> Previously, you would prioritize traction among developers over focusing on revenue.

A.k.a. using open source as a marketing tactic to lure in customers, only to do a rug pull once the business gains enough momentum.

> But that does not work in 2025.

Good. It is an insidious practice. There are very few projects that actually do this properly without turning their backs on the users who made their products popular in the first place.

> You are expected to make money from the get-go and are left with only enterprise customers and boy, that category is hard, as everyone is competing for that slice.

The strategy of delivering valuable products that benefit users without exploiting them has always existed. The thing is that many companies choose the greedy and user hostile path, instead of running a sustainable business that delivers value to humanity and not just to shareholders, which is much more difficult. So I have no sympathy towards these companies.

kpcyrd

> it's extortion

That's a wild take for "somebody provided something for free but decided they don't want to anymore".

Sucks for you, looks like you have to do your job yourself now.

pacifika

If their contribution is minimal then the impact of this change should also be? But it appears it disruptive so they have been showing up for a long time and that’s one of the most difficult things.

j45

Maybe the community can repackage it since Bitnami is only packaging.

tedk-42

Naive take.

That's like saying, "Honda isn't a car company, they're an assembly company because they don't mine the minerals to make the parts and rely instead on supply chains"

dig1

Well, Bitnami didn't produce own hardware stack either ;) Joke aside, it's not naive - CentOS, Alma, Rocky, Ubuntu... FOSS community has some experience with these things

greatgib

I don't want to discount the work they are doing, and that it has no value, but a little bit shocking that they expect to go all commercial with this, in the Oracle way, while just "packaging" and so relying on open source software that they will not contribute to.

Also, I'm a little bit wondering at how much all of this is really copyrightable in the end. Because if you keep it private I understand, but here it is basically for each package just a few lines, recipes to build the components that they don't own. Like trying to copyright the line "make build".

And it might be each the single and obvious way to package the thing anyway.

And speaking at the built artefacts, usually a binary distribution of third party open source software with common license should preserve the same rights to the user to access the source code, the instructions to build, and the right to redistribute...

supriyo-biswas

What probably carries more value is the helm charts that they provide which are also on their way out.

The images themselves have official replacements (for example, looking at https://hub.docker.com/u/bitnami why wouldn’t I use Node or Postgres images from the official sources instead).

I have no idea how many people actually used their helm charts though.

progbits

They do keep some of them more up to date, for example the bitnami python image had system packages patched faster than the official one. But if you are willing to pay then chainguard is a better solution.

firesteelrain

ChainGuard is $$$$$$$

We talked to them a couple years ago. A lot of what they are doing besides Wolfi is using Alpine which removes alot of findings by default

asmor

Some other open source projects have also shipped Bitnami software in their own helm charts, i.e. APISIX's etcd instance is the Bitnami chart pulled in as a dependency.

Not that it ever worked well, we had to scale it to 1 because the quorum would constantly break into unrecoverable states.

nopurpose

"Makefile" they have written and copyrighting is very non trivial and there are many man-months of effort. Configuring all sorts of software just with env vars and make it usable is not an easy feat.

Have a look at https://github.com/bitnami/containers/tree/main/bitnami/post... as example.

It might be worth a commercial license for some of their current user-base, no doubt.

tomalbrc

This has to be a joke, right? Months of effort for a makefile? In which world do people live these days

majkinetor

You seriously underestimate this in general case. Build system may be made in weeks, but is polished in months or even years, to account for all the different usage and environment scenarios. Otherwise, it's typically very fragile.

WesolyKubeczek

Tell me you haven't ever written even a moderately complex Makefile without telling me you haven't ever written even a moderately complex Makefile.

draw_down

It would only take you a weekend!

MathiasPius

Between the VMware licensing changes and this, it looks like Broadcom is making a serious play at dethroning Oracle as the most evil software vendor.

It's a shame that competition for this position has been ramping up lately.

martypitt

I'm still waiting to see how Broadcom will monetize the Spring ecosystem - which is widely used in almost all large enterprises.

Sadly, it feels like an inevitability at this point.

zdkaster

probability = 1.0

arcanemachiner

Good lord, I didn't know their tentacles were that deep. VMware sure had a lot of touch points.

abraae

Holy shit, Broadcom owns Spring? Yikes.

de6u99er

I am certain most of Bitnami's engineers don't agree with those decisions.

q3k

Broadcom has always been about pure evil (cough capitalism cough), you just haven't been affected by it before. Ask anyone who's worked with their hardware... So

MangoToupe

This is much less exciting once you realize how evil broadcom is. Still, I suppose we all win in the short term.

elephantum

So, are they evil because they decided to stop sponsoring free network egress?

MathiasPius

Others have already provided good answers. I wouldn't classify it as evil if all they did was to stop maintaining the images & charts, I recognise how much time, effort and money that takes. Companies and open source developers alike are free to say "We can no longer work on this".

The evil part is in outright breaking people's systems, in violation of the implicit agreement established by having something be public in the first place.

I know Broadcom inherited Bitnami as part of an acquisition and legally have no obligation to do anything, but ethically (which is why they are evil, not necessarily criminal) they absolutely have a duty to minimise the damage, which is 100% within their power & budget as others have pointed out.

And this is before you even consider all the work unpaid contributors have put into Bitnami over the years (myself included).

tetha

It's also entirely fine if they delete these images to me. But not with a week of time frame, as originally intended.

And sure, we can go ahead and discuss how this being free incurs no SLAs or guarantees. That's correct, but does not mean that such a short time frame is both rude and not a high quality of offering a service. If I look at how long it would take us to cancel a customer contract and off-board those...

And apparently it costs $9 to host this for another month? Sheesh.

7bit

that's an assumption, but Broadcom is most likely using open source software in all of their apps. So they do have a moral to also give something back. So just saying it's fair that they don't want to provide something for free anymore isn't really all that fair.

buzer

The images are currently in Docker Hub. If $9/month (or $15, not 100% sure if $9 includes organizations) to keep those images available is too much for Bitnami I'm sure there are many organizations who wouldn't mind paying that bill for them (possibly even Docker Hub itself).

systemswizard

Broadcom is deciding to host it on their own registry and bear the associated cost of doing so. Not sure what this has to do with sponsoring network egress

runamok

Does said network egress cost $50k per user?

wilonth

I never understood the point of Bitnami. Every time I tried one of their image / package, it's a complicated mess full of custom and strange stuff, really hard to work with.

Instead of a simple package of the software based on some familiar base, you get some weird enterprise garbage that follows strange conventions and a nightmare when you need to customize anything.

andsens

100% agreed. I don’t understand the point of throwing all conventions out the window and building their own brittle scripts on top of it. All their images require docs to configure because none of the upstream documentation applies.

ryeats

What are some resources for these conventions? As far as I can tell everyone else rolls their own bespoke images based off of of a projects image in order to customize the configuration.

de6u99er

At my last gig I avoided Bitnami container images and Helm charts wherever possible. We (me plus an AWS consultant) used Karpenter Autoscaler, Envoy Gateway API, Gatekeeper OPA, Loki/Prometheus/Grafana Stack, EDB Postgres Operator, ... and deployed all through a single comprehensive terraform script to an EKS cluster. I tried to keep reliance on one single company as low ad possible. I even had a Plan B to replace S3 with MinIO in case the company decided to move to another cloud provider or an On Prem Kubernetes cluster.

My recommendation to everyone is to avoid Cloud Vendor Lock-In from the start, and even if it's more initial work, to try to have as much as possible running on Kubernetes.

brewmarche

Anyone know what happens to their Helm charts? As far as I know they remain available but do they work with non-Bitnami images? Can I use the official redis image instead of bitnami/redis with the Bitnami redis chart for example?

niemandhier

In the end, they have to do it because of the CSR, and they can do it because of the CSR.

The European Union Cyber Residence Act has the potential to drastically change the open source ecosystem.

The new regulation pushes the due diligence for security according to the Act towards any entity making a commercial offer based on open source software.

Caveat emptor!

For any enterprise, that means that they either do extensive documentation and security on open source components they use or they use foundation or enterprise-backed products.

Note that pure uncommercial open source projects are exempt from the Act.

I see this as a chance; we can still create open and free software, and those of us who desire financial compensation from those who make money with their work can offer as a necessary compliance framework as a service via a different entity.

tecleandor

They don't have to. They can do the paid secure images for the commercial offerings and keep the other ones free. Or they could free the secure images for everyone if they feel like that.

rcxdude

Hmmmm, I'm not sure that's how it would be read. If there's any 'associated commercial activity', it falls under the CSR, even if the images themselves are free and open source.

(That said, the overhead of the CSR is really not much, from what I can tell. It's pretty lightweight as EU standards go)

sofixa

I don't agree, they have to do all the CSR due diligence for the commercial offerings based on those open source projects, so there is no difference. The effort has to be done regardless if there's part of it that is open source and free, or not.

ehnto

I advocated an enterprise to migrate away almost two years ago now. In enterprise time that means the project to do so is just about complete, so I am feeling pretty vindicated just now.

gexla

Snooping around, it seems the license costs $50K+ annually. I'm not their target market. ;)

Valodim

From TFA

> BSI is effectively democratizing security and compliance for open source so that it doesn’t require million-dollar contracts from vendors with sky-high valuations.

I suppose 50k isn't a million dollar contract, but it's certainly also not "democratizing" anything

gexla

Depending on your needs, this could be a bargain as advertised. It's only expensive relative to what you can build on your own, or what competitors offer.

gexla

It's a bit tricky to work through all the jargon, but it's my understanding that they are simply pulling the mass of things that they provide for free. You can still get the Docker files for their offerings (not sure they offer all tags though?") and you can even use the images from Docker Hub.

But. What they are offering is considered "development" regardless of what you are using it for? In other words, NOT a production environment, because they aren't giving you a production environment (or at least what they define as a production environment.) What they give you for free is the "latest" and on a Debian system.

What they offer as "secure" is running on Photon OS and goes through a security pipeline, etc. They aren't holding anything back aside from the services they provide.

null

[deleted]

zdkaster

The easiest strategy to be profitable as biz without acquiring new users base, lol :P

rahkiin

It is sad to see how Broadcom cannot do padding right for mobile…

But on topic: why not create docker.io/bsi and let /bitnami as is without new updates? Then nothing breaks; it just won’t be possible to do upgrades. You’ll then figure out why and possibly seamlessly switch to your own build or BSI.

cube00

> It is sad to see how Broadcom cannot do padding right for mobile…

It's on brand when you consider how badly the styling in Rally needs an update.

orthoxerox

Because "bitnami" has brand value. It makes business sense to reuse the name for the new service you are trying to sell.

Aeolun

Any brand value that bitnami has will be entirely destroyed by this incomprehensible change. People will associate the ‘bitnami’ namespace with “can’t possible utilize for long term production use”

quectophoton

Understandable.

The way I see it, a software project has only (1) code you maintain or pay someone to maintain for you, and/or (2) throwaway code that you will eventually need to replace with an incompatible version.

Nothing wrong with a project that is just gluing throwaway code because it's a gamble that usually pays off. But if that code is from third-party dependencies, just don't believe for a second that those dependencies (or any compatible forks) will outlive your project, or that their developers have any incentive at all to help you maintain your project alive.

daitangio

Bitnami K8s helm charts was very well done but overall we can live without them.

I would suggest boradcom to offer two tie: one free on they repository and one se t of more specific images.

Burning the docker.io images is a dumb move.