Avoid DevOps disruption by Docker Hub changes
Docker will start rate-limiting image pulls from Docker Hub on November 1st, potentially halting a fair number of CI/CD pipelines.
Docker dealing with network egress
Roughly 30% of all downloads on Docker Hub come from only 1% of anonymous users
Not only has it a price tag, but it surely affects the overall performance of the world’s largest container registry1 as well.
New subscription plans
To control the unfair share of network egress, the structure of the subscription plans has been announced as follows:
- Free plan – anonymous users: 100 pulls per 6 hours
- Free plan – authenticated users: 200 pulls per 6 hours
- Pro plan – unlimited
- Team plan – unlimited
Docker Hub pull authentication
In most development teams 100 pulls per 6 hours is very likely to be insufficient, especially in teams that rely on Continuous Deployment.
Nevertheless, many teams would also find 200 pulls in 6 hours sufficient, meaning that authenticating the pulls would do.
Docker auth on CircleCI
Job setup on CircleCI2 is straightforward:
jobs:
build:
docker:
- image: acme-private/private-image:321
auth:
username: my-docker-hub-user
password: $DOCKER_HUB_PASSWORD
Pull rate limit for CircleCI images
Many developers use pre-built CircleCI Docker images3 (e.g. circleci/ruby) to leverage CircleCI’s caching. Pulls are therefore much faster.
It’s relevant to keep in mind that all CircleCI images count towards pull rate limit as well.
Docker auth on GitHub Actions
Workflow step configuration on GitHub Actions leverages docker/login-action:
steps:
- name: Login to Docker Hub
uses: docker/login-action@v1
with:
username: ${{ secrets.DOCKER_HUB_USERNAME }}
password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}
Caching Docker images on GitLab CI
GitLab team advises developers to start the registry mirror4 that would avoid reaching pull rate limits. Mirror would cache the pulls and not turn to Docker Hub when the cache is there.