Docker will start rate-limiting image pulls from Docker Hub on November 1st, potentially halting a fair number of CI/CD pipelines.

Docker dealing with network egress

Roughly 30% of all downloads on Docker Hub come from only 1% of anonymous users

Not only has it a price tag, but it surely affects the overall performance of the world’s largest container registry1 as well.

New subscription plans

To control the unfair share of network egress, the structure of the subscription plans has been announced as follows:

  • Free plan – anonymous users: 100 pulls per 6 hours
  • Free plan – authenticated users: 200 pulls per 6 hours
  • Pro plan – unlimited
  • Team plan – unlimited

Docker Hub pull authentication

In most development teams 100 pulls per 6 hours is very likely to be insufficient, especially in teams that rely on Continuous Deployment.

Nevertheless, many teams would also find 200 pulls in 6 hours sufficient, meaning that authenticating the pulls would do.

Docker auth on CircleCI

Job setup on CircleCI2 is straightforward:

jobs:
  build:
    docker:
      - image: acme-private/private-image:321
        auth:
          username: my-docker-hub-user
          password: $DOCKER_HUB_PASSWORD

Pull rate limit for CircleCI images

Many developers use pre-built CircleCI Docker images3 (e.g. circleci/ruby) to leverage CircleCI’s caching. Pulls are therefore much faster.

It’s relevant to keep in mind that all CircleCI images count towards Docker Hub’s pull rate limit as well.

Docker auth on GitHub Actions

Workflow step configuration on GitHub Actions leverages docker/login-action:

steps:
  - name: Login to Docker Hub
    uses: docker/[email protected]
    with:
      username: ${{ secrets.DOCKER_HUB_USERNAME }}
      password: ${{ secrets.DOCKER_HUB_ACCESS_TOKEN }}

Caching Docker images on GitLab CI

GitLab team advises developers to start the registry mirror4 that would avoid reaching pull rate limits. Mirror would cache the pulls and not turn to Docker Hub when the cache is there.