From a security and reproducibility perspective, you, shouldn’t want to pull directly. I’ve used Artifactory in the past as a pass through cache that can “promote” image, making them available to test and production environments as they go through whatever validation process is required. Then you know images (or packages, or gems, or modules, or whatever you are deploying) has at least been tested and an unpinned dependency isn’t going to surprise you in production.
Five years ago when Docker changed a storage policy they said it would save 5PB. I can't find the current size of Docker Hub.
That's a huge cost to expect from a free mirror service, especially when a large fraction is of very limited interest, and unlike a Linux distribution Docker Hub isn't organized. (It's easy to only mirror the AMD64 packages for Debian, for example.)
The Docker client also isn't able to work with a partial mirror.
This is what I've seen (and done) at every place that used containers at any kind of scale. I'm frankly impressed with the people who can sleep at night with their production hosts pointed directly at docker hub.
Agreed, it seems like a bunch of people in this thread are scared of having to setup authentication and monitoring, but are not scared of chain attack in the latest docker image they never even looked at.
