If you google dcos marathon private docker (or words to that effect) you get these docs:
The example works however the approach of putting your credentials in the same place on every node is a lot of work, means that every new node which starts up needs a manual intervention or extra automation to work and overall it is not very DCOS.
I have at least twice helped out other dcos users on Slack who have had issues with this after following that documentation.
It is not obvious to people that they can put their docker.tar.gz credentials at a https url (instead of on the node filesystem)
Furthermore there are many people who use AWS and I have found an approach that works well for AWS which other dcos community users have also found helpful and which would be good to add to the docs (and even to bake in to the CloudFormation template).
The approach that I use is to put the docker credentials file into an S3 bucket and then make that bucket only accessible from within the mesos VPC - I think this provides a very good balance of ease of use and security. Docs on how to set up S3 buckets are here: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies-vpc-endpoint.html
I have come accross other dcos users who use hdfs to store these credentials, that might also be a good example for the docs.
I think this is something that comes up pretty early in any user's first trials of DCOS so it would be nice if the documentation and experience could be better.