Docker limits unauthenticated pulls to 10/HR/IP from Docker Hub, from March 1
426 comments
·February 21, 2025solatic
rjst01
Let me give you an alternative perspective.
My startup pays Docker for their registry hosting services, for our private registry. However, some of our production machines are not set up to authenticate towards our account, because they are only running public containers.
Because of this change, we now need to either make sure that every machine is authenticated, or take the risk of a production outage in case we do too many pulls at once.
If we had instead simply mirrored everything into a registry at a big cloud provider, we would never have paid docker a cent for the privilege of having unplanned work foisted upon us.
hkwerf
I get why this is annoying.
However, if you are using docker's registry without authentication and you don't want to go through the effort of adding the credentials you already have, you are essentially relying on a free service for production already, which may be pulled any time without prior notice. You are already taking the risk of a production outage. Now it's just formalized that your limit is 10 pulls per IP per hour. I don't really get how this can shift your evaluation from using (and paying for) docker's registry to paying for your own registry. It seems orthogonal to the evaluation itself.
hedora
The big problem is that the docker client makes it nearly impossible to audit a large deployment to make sure it’s not accidentally talking to docker hub.
This is by design, according to docker.
I’ve never encountered anyone at any of my employers that wanted to use docker hub for anything other than a one-time download of a base image like Ubuntu or Alpine.
I’ve also never seen a CD deployment that doesn’t repeatedly accidentally pull in a docker hub dependency, and then occasionally have outages because of it.
It’s also a massive security hole.
Fork it.
themgt
I don't really get how this can shift your evaluation from using (and paying for) docker's registry to paying for your own registry
Announcing a new limitation that requires rolling out changes to prod with 1 week notice should absolutely shift your evaluation of whether you should pay for this company's services.
gcapu
If you offer a service, you have some responsibility towards your users. One of those responsibilities is to give enough notice about changes. IMO, this change doesn't provide enough notice. Why not making it a year, or at least a couple of months? Probably because they don't want people to have enough notice to force their hand.
popalchemist
It's bait and switch that has the stakes of "adopt our new policy, that makes us money, that you never signed up for, or your business fails." That's a gun to the head.
Not an acceptable interaction. This will be the end of Docker Hub if they don't walk back.
withinboredom
Yes. But they are paying for this bandwidth, authenticated or not. This is just busy work, and I highly doubt it will make much of a difference. They should probably just charge more.
atkailash
[dead]
londons_explore
> take the risk of a production outage in case we do too many pulls at once.
And the exact time you have some production emergency is probably the exact time you have a lot of containers being pulled as every node rolls forward/back rapidly...
And then docker.io rate limits you and suddenly your 10 minute outage becomes a 1 hour outage whilst someone plays a wild goose chase trying to track down every docker hub reference and point it at some local mirror/cache.
wat10000
I mean, don’t build your production environment to rely on some other company’s free tier, and then act surprised when they throttle high usage.
And yes, you’re still using the free tier even if you pay them, if your usage doesn’t have any connection to your paid account.
rad_gruchalski
> If we had instead simply mirrored everything into a registry at a big cloud provider, we would never have paid docker a cent for the privilege of having unplanned work foisted upon us.
Indeed, you’d be paying the big cloud provider instead, most likely more than you pay today. Go figure.
zmgsabst
I’d you’re using popular images, they're probably free.
jdhendrickson
Devsec/ops guy here, the fact that you were pulling public images at all ever is the thing that is insane to me.
orochimaaru
They should have provided more notice. Your case is simply prioritizing work that you would have wanted to complete anyway. As a paying customer you could check if your unauthenticated requests can go via specific outbound IP addresses that they can then whitelist? I’m not sure but they may be inclined to provide exceptions for paying customers - hopefully.
rjst01
> Your case is simply prioritizing work that you would have wanted to complete anyway
It's busy-work that provides no business benefit, but-for our supplier's problems.
> specific outbound IP addresses that they can then whitelist
And then we have an on-going burden of making sure the list is kept up to date. Too risky, IMO.
cpuguy83
This was announced last year.
fennecbutt
So it goes. You're a business, pay to make the changes. It's a business expense. Docker ain't doing anything that their agreements/licenses say they can't do.
It's not fair, people shout. Neither are second homes when people don't even have their first but that doesn't seem to be a popular opinion on here.
SSLy
> mirrored everything into a registry at a big cloud provider
https://cloud.google.com/artifact-registry/docs/pull-cached-...
dbalatero
You might try complaining and see if they give you an extension.
vineyardmike
Docker is a company, sure, and they’re entitled to compensation for their services, sure. That said, bandwidth is actually really cheap. Especially at that scale. Docker has publicly been struggling for cash for years. If they’re stuck on expensive clouds from a bygone VC era, that’s on them. Affordable bandwidth is available.
My main complaint is:
They built open source tools used all over the tech world. And within those tools they privileged their own container registry, and provided a decade or more of endless and free pulls. Countless other tools and workflows and experiences have been built on that free assumption of availability. Similarly, Linux distros have had built-in package management with free pulling for longer than I’ve been alive. To get that rug-pull for open-source software is deeply disappointing.
Not only that, but the actual software hosted on the platform is other people’s software. Being distributed for free. And now they’re rent-seeking on top of it and limiting access to it.
I assume most offices and large commercial businesses have cached and other tools built into their tools, but for indie developers and small businesses, storage of a ton of binary blobs starts to add up. That’s IF they can even get the blobs the first time, since I imagine they could experience contention and queuing if you use many packages.
And many people use docker who aren’t even really aware of what they’re doing - plenty of people (myself included) have a NAS or similar system with docker-wrapping GUI pre-installed. My NAS doesn’t even give me the opportunity to login to docker hub when pulling packages. It’s effectively broken now if I’m on a CGNAT.
clvx
You can always rebuild the dockerfile, or create an account increasing your pull limit, or just host all the free infrastructure they’ve already built, or use competitors providing the same service with the risk of them doing exactly the same in the future. The difference with docker hub and just mirroring a linux repo is docker made it really easy for people so they don’t need it to get into infra weeds but the complexity was always there.
josephcsible
> or just host all the free infrastructure they’ve already built, or use competitors providing the same service
That would be more reasonable if they didn't go out of their way to make doing so painful: https://github.com/moby/moby/issues/7203
kazinator
"foo.com will always be there and privide free, unlimited use" is the primary example of "clouded" thinking.
lou1306
> Countless other tools and workflows and experiences have been built on that free assumption of availability
Cannot help but notice that, had Microsoft offered such a sweet deal, this place would've been ablaze with cries of "Embrace, extend, extinguish" and suchlike. (This still regularly happens, e.g., when new Github features are announced). Perhaps even justifiably so, but the community has failed to apply that kind of critical thinking to any other company involved in open source. If your workflow is not agnostic wrt where you pull images from, it is kind of silly to blame it on Docker Inc.
Having said that, it is definitely a problem for many. I work at a technical university and I am sure colleges/research institutes will hit the limit repeatedly and easily.
lucianbr
Too right. Now I'm starting to wonder how long my gmail account will remain free, and for that matter how long my HN account will remain free.
theamk
[dead]
wkat4242
Hmm yes but if it is limited to 10 in an hour that could even be an issue for hobbyists if you update multiple dockers at the same time. For example the excellent matrix ansible playbook pulls numerous dockers in a single update run because every little feature is in a separate container. Same with home assistant add-ons. It's pretty easy to reach 10 in an hour. Even though you may not pull any for a whole month afterwards. I only do this once a month because most matrix bridges only get updates at that rate.
I have to say though, 90% of the dockers I use aren't on docker hub anymore. Most of them reside on the github docker repo now (ghcr.io). I don't know where the above playbook pulls from though as it's all automated in ansible.
And really docker is so popular because of its ecosystem. There are many other container management platforms. I think that they are undermining their own value this way. Hobbyists will never pay for docker pulls but they do generate a lot of goodwill as most of us also work in IT. This works the other way around too. If we get frustrated with docker and start finding alternatives it's only a matter of time until we adopt them at work too.
If they have an issue with bandwidth costs they could just use the infrastructure of the many public mirrors available that also host most Linux distros etc. I'm sure they'd be happy to add publicly available dockers.
RobotToaster
This wouldn't be much of a problem for hobbyists if this was 240 per day or 1680 per week, but hitting 10 is easy.
aragilar
It's not significantly different to the current rates (based on https://web.archive.org/web/20201101055027/https://www.docke... and https://web.archive.org/web/20250000000000*/https://www.dock...), 6 less pulls for free per hour, 7 more for authenticated, but it's now less forgiving to larger bursts.
Ironically, it's the paid rates that are being reduced more (though they don't have hourly limits still, so more flexibility, but the fair use thing might come up), as they were infinite previously, now Pro is 34 pulls/hour (on average, which is less than authenticated), Team is 138 pulls/hour (or 4 times Pro) and Business 1380 pulls/hour (40 times pro, 10 times team).
My feeling this is trying to get more people to create docker accounts, so the upsell can be more targeted.
theshrike79
This means there is a market for a docker proxy. Just install it, in a Docker container of course, and it caches the most common containers you use locally!
mitjam
K3s (a lightweight Kubernetes) has an embedded registry mirror (https://docs.k3s.io/installation/registry-mirror)
jabart
Docker Personal is free and does 40 pulls an hour. Why is everyone stuck on the 10 an hour number?
drpossum
My personal information is not free.
RegnisGnaw
Unauthenticated users
blitzar
The entitlement of ... the VC powered powerplant that reinvented and reimagined electricity, gave out free electricity and put all the comeptitors out of business, succeeded in monopolizing electrity then come looking for a payday so they can pad the accounts and 'exit' passing it off to the next round of suckers. Truly unbelieveable.
fennecbutt
That's business, baby. We're all involved in it, like it or not. And especially American tech/developer culture seems to thrive on fyigm gated community stuff.
I couldn't give 2 shits whatever Docker does. They're a service, if I wanna use it I'll pay, if not then I'll use something else. Ez pz
WhyNotHugo
There’s plenty of folks behind a CGNAT, sometimes shared with thousands of others. And this is more common in regions where actually paying for this service is often too expensive.
I’ve also seen plenty of docker-compose files which pull out this amount of images (typically small images).
I’m not saying that Docker Inc should provide free bandwidth, but let’s not also pretend that this won’t be an issue for a lot of users.
InsomniacL
> Can't believe the sense of entitlement in this thread.
I don't use Docker so I genuinely don't know this...
Is the Docker Library built on the back of volunteers which is then used to sell paid subscriptions?
Does this commercial company expect volunteers to give them images for free which give their paid subscriptions value?
Zandikar
> Does this commercial company expect volunteers to give them images for free which give their paid subscriptions value?
Yes, to an extent, because it costs money to store and serve data, no matter what kind of data it is or it's associated IP rights/licensing/ownership. Regardless, this isn't requiring people to buy a subscription or otherwise charging anyone to access the data. It's not even preventing unauthenticated users from accessing the data. It's reducing the rate at which that data can be ingested without ID/Auth to reduce the operational expense of making that data freely (as in money) and publicly available. Given the explosion in traffic (demand) and the ability to make those demands thanks to automation and AI relative to the operational expense of supplying it, rate limiting access to free and public data egress is not in and of itself unreasonable. Especially if those that are responsible for that increased OpEx aren't respecting fair use (legally or conceptually) and even potentially abusing the IP rights/licensing of "images [given] for free" to the "Library built on the back of volunteers".
To what extent that's happening, how relevant it is to docker, and how effective/reasonable Docker's response to it are all perfectly reasonable discussions to have. The entitlement is referring to those that explicitly or implicitly expect or demand such a service should be provided for free.
Note: you mentioned you don't use docker. a single docker pull can easily be 100's of MB's (official psql image is ~150MB for example) or even in some cases over a GB worth of network transfer depending on the image. Additionally, there is no restriction by docker/dockerhub that prevents or discourages people from linking to source code or alternative hosts of the data. Furthermore you don't have to do a pull everytime you wish to use an image, and caching/redistributing them within your LAN/Cluster is easy. Should also be mentioned Docker Hub is more than just a publicly accessible storage endpoint for a specific kind of data, and their subscription services provide more that just hosting/serving that data.
Aurornis
> Does this commercial company expect volunteers to give them images for free which give their paid subscriptions value?
If you're only looking at Docker Hub as a host of public images, you're only seeing the tip of the iceberg.
Docker Hub subscriptions are primarily for hosting private images, which you can't see from the outside.
IMO, hosting public images with 10 pulls per hour is plenty generous, given how much bandwidth it uses.
wiether
It's like GitHub limiting the number of checkout you can do each hour on public repos. Unless you pay a sub to get rid of the limit.
So, yeah, they kind of taking advantage of people putting their work on DH to try&sell subs.
But nobody have to put their images on DH. And to be honest, I don't think the discoverability factor is as important on DH that it is on GitHub.
So if people want to pay for they own registry to make it available for free for everyone, it's less an issue than hosting your repo on your own GitLab/Gitea instance.
goodpoint
> Is the Docker Library built on the back of volunteers which is then used to sell paid subscriptions?
Yes.
> Does this commercial company expect volunteers to give them images for free which give their paid subscriptions value?
Yes.
theamk
[dead]
azalemeth
I'm behind cgnat with half a city.
Limits per IPv4 address are really, really annoying. All I can do is flick on a VPN... which likely won't work either
realityking
Good news, Docker Hub supports IPv6.
https://www.docker.com/blog/docker-hub-registry-ipv6-support...
BenjiWiebe
Hopefully they have IPv6. Plenty of ISPs will happily put you behind CGNAT and have no IPv6 available.
Wowfunhappy
If you use IPv6, the limit is per /64 subnet.
I don't know enough about IPv6, is this potentially its own problem?
jabart
Docker Personal is free unless I am missing something?
TeMPOraL
Authentication and automation don't mix well.
null
sethops1
> All I can do
You could also, you know, pay Docker for the resources you're using.
gertlex
He could also hit the limit downloading a single image, if I'm understanding his situation.
If I'm an infrequent tinkerer that occasionally needs docker images, I'm not going to pay a monthly cost to download e.g. 1 image/month that happens to be hosted on Docker's registry.
(It sounds like you can create an account and do authenticated pulls; which is fine and pretty workable for a large subset of my above scenario; I'm just pointing out a reason paying dollars for occasional one-off downloads is unpopular)
jonhohle
From a security and reproducibility perspective, you, shouldn’t want to pull directly. I’ve used Artifactory in the past as a pass through cache that can “promote” image, making them available to test and production environments as they go through whatever validation process is required. Then you know images (or packages, or gems, or modules, or whatever you are deploying) has at least been tested and an unpinned dependency isn’t going to surprise you in production.
hedora
Artifactory is a tire fire though.
Someone (maybe the podman folks?) should do what every Linux distribution has done, and set up a network of signed mirrors that can be rsynced.
bityard
This is what I've seen (and done) at every place that used containers at any kind of scale. I'm frankly impressed with the people who can sleep at night with their production hosts pointed directly at docker hub.
jdhendrickson
Agreed, it seems like a bunch of people in this thread are scared of having to setup authentication and monitoring, but are not scared of chain attack in the latest docker image they never even looked at.
sigy
I host OSS images there, and I see no notice about how they will be affected. If they limit access to my published images, then it will be an issue. In that case the benefit and thus incentive for many of the projects which have made docker and docker hub pervasive goes away. Without that adoption, there would probably be no docker hub today.
This should help people understand a bit better why this feel a bit underhanded. The images are free, and I and many other OSS devs have used docker hub in partnership to provide access to software, often paying for the ability to publish there. In this case, any burden of extra cost was on the producer side.
Turning this into a way to "know" every user and extract some value from them is their prerogative, but it does not feel like it is good faith. It also feels a bit creepy in the sense of "the user is the product".
rcarmo
Most of the OSS projects I use seem to either have moved to the GitHub container registry or some other (smaller) equivalent. Some have even set up their own registries behind Cloudflare.
sodality2
One of the first things I did was move to Quay.io which is unlimited everything for OSS projects. I was reaching a point where I had 1M+ pulls a month (I suspect some kind of DDoS, accidental or otherwise, for a project with just 1.7k stars) - and not having to even think about the bandwidth or anything was wonderful. It's nice to be supported by Red Hat which I generally consider more benevolent towards OSS as opposed to Docker Hub.
8organicbits
Are you worried that Quay will be less generous in the future, similar to the changes at Docker hub?
trulyrandom
Does GitHub's container registry still require authentication for pulls?
OJFord
No, I wasn't aware it ever had.
danigarcia
As far as I know, only Github Packages requires authentication for downloads, but that's a separate thing to Github container registry
cpuguy83
They do have special provisions for OSS projects hosting their images on DH. I don't know all the details, but you should be able to find it in the docs.
vinyl7
This has been the standard practice for all tech companies. Make it free to capture the market and snuff out all competition. Once they have secured the whole market then its time to start making money to pay back the millions they borrowed from VCs for decades
bogeholm
It’s like playing Plague Inc. (reverse version of Pandemic the board game where you play as the disease): to win, develop all possible methods of spreading first; only then develop symptoms, and do it fast before anyone has time to react
thih9
I find it surprising that people notice the part about symptoms[1], and despite this happening repeatedly we do relatively little against the part about spreading.
Part of it is perhaps by definition, “spreading” already assumes success. Still, I’d welcome some regulation; or at least awareness; e.g. a neologism for companies in that stage, growing at cost and only getting ready to develop symptoms.
[1]: The American Dialect Society selected “Enshittification” as its 2023 word of the year, source: https://en.m.wikipedia.org/wiki/Enshittification
Bombthecat
There is no network effect here though. I can host my image wherever and still distribute it.
cluckindan
Good luck getting enterprises to use your non-vetted image repository.
keisborg
I feel that dockerhub no longer can be the steward for the default docker repo because of this and the limitations they previously have implemented. It is time for them to hand over the baton stick to someone else, or that the notion of a default repo is removed all together
null
hedora
For years, people have been trying to add a “override the default registry because docker hub is a single point of failure” option to the docker client.
Upstream has blocked it. A fork over this one little feature is long overdue.
horsawlarway
Personally - I don't really see this one making sense.
There's already a widely available way to specify exactly which repo you'd prefer in the docker client...
`docker pull [repo]/[image]:[tag]`
And that address format works across basically all of the tooling.
Changing the defaults doesn't actually make sense, because there's no guarantee that repo1/secure_image === repo2/secure_image.
Seems like a HUGE security issue to default named public images to a repo where the images may not be provided by the same owner.
lolinder
I like Podman's solution: all images must be fully qualified, with even Docker Hub images requiring a docker.io/ prefix.
raesene9
Fully qualified is indeed the way to go. Unfortunately a lot of tutorials manifests and other materials have short names, and changing the default registry just opens up a load of typo squatting attacks.
Arnavion
That said, they also maintain a list of aliases for a bunch of container images. https://github.com/containers/shortnames . My distro's podman package then drops in that file into /etc/containers/registries.conf.d/ via one of the package's dependencies.
ffsm8
That's a very good argument, but people have down used to dropping the domain prefix because it's always been optional.
Giving people the option to configure a default repository via the daemon.json would alleviate that issue, but I'm not sure if that's really enough to fork.
bArray
I agree it's the better proposal, but it does slightly break the "drop-in"-ness of Podman.
OptionOfT
That's why it is imperative that you use sha256 digests.
Remember, tags are mutable. `latest` today can be different tomorrow.
And it expands to all other tags. Nothing prevents me from pushing a new 'version' of a container to an existing `v1.0.1` tag.
Tags are not a way of uniquely identifying a container.
horsawlarway
Sure, digests are a good tool when needed, but there's a huge gulf between the risk factors here, and they don't really solve the "trust across repos" problem.
The top level image hashes tend to change between repos (because the image name changes in the manifest and is included in the hash).
So you'd have to go through an verify each layer sha.
Good tool for selecting an exact image in a repo, not a replacement for trust at the naming level (it's a bit like the difference between owning a domain and cert pinning with hpkp).
zdw
`latest` also has many different definitions. Some people think it's tip of the dev branch (ie, pulling from `main` git branch), some people think it's most recent stable release (ie, some released tag).
One way to get around this is to just not use `latest` at all, and only push docker tags that perfectly mirror the corresponding git branches/tags.
londons_explore
that really depends on your thoughts of the trustworthiness of the 'owners' of those tags vs the security bugs in the sha256 you pinned and then didn't keep an eye on...
m463
I believe redhat knew of this and was one of the reasons they wrote podman.
(podman is a docker compatible replacement with a number of other nice features besides being able to configure the registry)
that said, you can configure "registry-mirrors" in /etc/docker/daemon.json although it is not the same thing
xvilka
Podman[1] is the answer.
sanewombat
To elaborate on this, podman allows specifying mirrors, as described in https://github.com/containers/image/blob/main/docs/container...
So the source of the image can be decided on pull. Some more on this https://www.redhat.com/en/blog/manage-container-registries
donmcronald
> So the source of the image can be decided on pull.
It looks like it's ordered by priority.
unqualified-search-registries = ['registry.fedoraproject.org', 'registry.access.redhat.com', 'registry.centos.org', 'docker.io']
mattgreenrocks
This gets at something I've never quite understood about Docker. And it might be a dumb question: why do we need a dedicated host for Docker images in the first place?
I can see the use case for base images: they're the canonical, trusted source of the image.
But for apps that are packaged? Not as much. I mean, if I'm using a PaaS, why can't I just upload my Docker image to them, and then they store it off somewhere and deploy it to N nodes? Why do I have to pay (or stay within a free tier) to host the blob? Many PaaS providers I've seen are happy to charge a few more bucks a month just to host Docker images.
I'm not seeing any sort of value added here (and maybe that's the point).
binfinger
You can host OCI images anywhere. Unfortunately, this breaks all of the tutorials people use to develop software.
ajross
So, on a technical level, obviously you don't. "docker image import" allows images to be stored anywhere you want.
But obviously the real problem is that you're asking the wrong question. We don't "need" a centralized image repository. We WANT one, because the feature that Docker provides that "just use a tarball" doesn't (in addition to general ease-of-use, of course) is authentication, validation and security. And that's valuable, which is why people here are so pissed off that it's being locked behind a paywall.
But given that it has value... sorry folks, someone's got to pay for it. You can duplicate it yourself, but that is obviously an engineering problem with costs.
Just write the check if you're a heavy user. It's an obvious service with an obvious value proposition. It just sucks if it wasn't part of your earlier accounting.
lolinder
> It just sucks if it wasn't part of your earlier accounting.
I generally agree with you, but to be fair to the complainers, what sucks is that Docker didn't make it clear up front that it should be part of your accounting. I don't know if they always intended to monetize this way (if so, we'd call that a bait and switch) or if they sincerely had other plans that just didn't pan out, but either way the problem is the same: There's a trend across all of technology of giving your stuff away for free until you become the obvious choice for everything, then suddenly altering the deal and raising prices.
That kind of behavior has in the past been deemed anticompetitive and outlawed, because it prevents fair competition between solutions on their merits and turns it into a competition for who has the deepest war chest to spend on customer-acquisition-by-free-stuff.
fennecbutt
Everyone on here cries about this behaviour unless they're the ones with stakes in a biz and their stocks going up up up. Then suddenly it's just business.
vel0city
They announced limits changes were going to happen on this date over a year ago. They've slowly ratcheted down limits for the past few years.
tomnipotent
Business isn't static. Costs and operations are not static.
At one point Docker probably may have had an authentic intent for a free service, but costs along the way changed the reality of operations and long-term cash flow and success of the business required making changes. Maybe the cash saved from bandwidth is what makes the next project possible that helps them grow the bottom line.
Further what was once a positive value proposition 18 months ago can turn into a losing proposition today, and a company should be allowed to adapt to new circumstances and be allowed to make new decisions without being anchored and held back by historical decisions (unless under contract).
As fun as it is hold executives to unrealistic standards, they're not fortune-tellers that can predict the future and they're making the best possible decisions they can given the constraints they're under. And I don't begrudge them if those decisions are in their own best interest, such as is their responsibility.
I'll give Docker the benefit of the doubt that this wasn't a bait-and-switch, that they never excepted it to become so successful, and that costs outpaced their ability to monetize the success and were eating into cash reserves faster than plan. I think the current outcome isn't so bad, and that we're still getting a considerable amount of value for free. It's unfortunate that some people are only finding out now, and are now under pressure to address an issue they didn't sign up for.
stkdump
> authentication, validation and security
Those are generally solved using SSL, no need for centralized storage.
hedora
Forcing the client to default to a centralized repo only provides value to docker though, not to the customers.
ajross
If there was no value provided to customers, then why are people in this thread so angry? They're angry because something valuable they used to get for free now requires money!
Standing up your own registry is trivial at the kind of scales (dozens-to-hundreds of images pulls per day!) that we're talking about. It's just expensive, so people want Docker, Inc. to do it for free. Well...
suryao
This sucks for individuals and open source. For folks that have a heavy reliance on dockerhub, here are some things that may help (not all are applicable to all use cases):
1. Setup a pull through mirror. Google Artifact Registry has decent limits and good coverage for public images. This requires just one config change and can be very useful to mitigate rate limits if you're using popular images cached in GAR.[1]
2. Setup a private pull through image registry for private images. This will require renaming all the images in your build and deployment scripts and can get very cumbersome.
3. Get your IPs allowlisted by Docker, especially if you can't have docker auth on the servers. The pricing for this can be very high. Rough numbers: $20,000/year for 5 IPs and usually go upwards of $50k/year.
4. Setup a transparent docker hub mirror. This is great because no changes need to be made to pipelines except one minor config change (similar to 1). We wrote a blog about how this can be done using the official docker registry image and AWS.[2] It is very important to NOT use the official docker registry image [3] as that itself can get throttled and lead to hairy issues. Host your own fork of the registry image and use that instead.
We spent a lot of time researching this for certain use cases while building infrastructure for serving Github actions at WarpBuild.
Hope this helps.
[1] https://cloud.google.com/artifact-registry/docs/pull-cached-...
knallfrosch
Register for free and you get a higher limit: 40 pulls is plenty. What do you imagine running that requires more than 40 dockerhub (not local) pulls on an hourly basis?
tekno45
if i start an eks cluster in a NAT environment with 10 nodes and 4 daemon sets. I need 40 pulls by default. Lots of tutorials out there to do this that will no longer work as well.
merb
does eks pull k8s stuff from docker.io? I thought k8s images are not on docker.io, I doubt that aws puts their special images there.
__MatrixMan__
It seems like a good time to point out that oci images' layer-based caching system is incredibly bandwidth inefficient. A change to a lower layer invalidates all layers above it, regardless of whether there's actually any dependency on the changed data.
With a competent caching strategy (the sort of thing you'd set up with nix or bazel) it's often faster to send the git SHA and build the image on the other end than it is to move built images around. This is because 99% of that image you're downloading or pushing is probably already on the target machine, but the images don't contain enough metadata to tell you where that 1% is. A build tool, by contrast, understands inputs and outputs. If the inputs haven't changed, it can just use the outputs which are still lying around from last time.
silverwind
> A change to a lower layer invalidates all layers above it
Does it have to? It seems it should be possible to diff the layers and only invalidate if there are conflicts.
__MatrixMan__
The way Dockerfiles work, yes I think it does need to do this. It wouldn't be a matter of "conflicts" but rather of assembling containers with the wrong data. Imagine a Dockerfile like so:
RUN echo 1 > A
RUN echo "$(cat A) + 1" | bc > B
If, in a later version, the first command changes to `echo 3 > A` then the contents of B should become "4", even though the second command didn't change. That is, neither layer can be reused because the layers depend on each other.
But maybe there's no dependency. If your Dockerfile is like this:
RUN echo 1 > A
RUN echo 2 > B
RUN echo 3 > A # new
RUN echo 2 > B # no dependency on layer 1, can be reused
Build tools like nix and bazel require more of the user. You can't just run commands all willy nilly, you have to tell them more info about which things depend on which other things. But the consequence is that instead of a list of layers you end up with a richer representation of how dependency works in your project (I guess it's a DAG). Armed with this, when you try to build the next version of something, you only have to rebuild the parts that actually depend on the changes.
Whether the juice is worth the squeeze is an open question. I think it is.
jensenbox
While not a great solution you can set one of these up on your network: https://docs.docker.com/docker-hub/image-library/mirror/#sol...
A giving person could also set one of these up publicly facing and share it out.
notpushkin
Google has one:
{
"registry-mirrors": ["https://mirror.gcr.io"]
}bmicraft
Having gcr.io and ghcr.io both be a thing is kinda funny to me, almost like google typo-squatting github.
homebrewer
JFYI,
% whois gcr.io | grep 'Creation Date'
Creation Date: 2014-11-17T19:32:25Z
% whois ghcr.io | grep 'Creation Date'
Creation Date: 2020-04-16T16:48:05Zgrandempire
GitHub culture has gone a little crazy with things like CI - assuming these cloud providers will always be up and providing their services for free.
If your project can’t afford to pay for servers and sometime to maintain it, I think we should stick with local shell scripts and precommit hooks.
zspitzer
This ain't great for Github Actions, as PRs might now fail as there are no secrets available, randomly depending on your runner's IP
Also it still takes some gymnastics to optionally support docker creds in a workflow https://github.com/orgs/community/discussions/131321
Lammy
I'm curious about this regarding GCP as well. I have a few Cloud Run Containers set up pulling their image directly from Docker Hub, then injecting my single config file from a Secrets-Manager-backed volume mount. That way I don't have to maintain my own package in GCP's Package Registry when the upstream project only publishes to Docker Hub
everfrustrated
Unless something has changed, GitHub pays a license to Docker to allow their runners IP space to avoid the rate limit.
baby_souffle
TIL! Can you link to a source for this? I am curious!
everfrustrated
May not be true anymore but was in the past when Docker first introduced the limits.
Very hard to find anything definitive still left on the web. This is all I could find...
https://github.com/actions/runner-images/issues/1445#issueco...
https://github.com/actions/runner-images/issues/1445#issueco...
immibis
Which means GitHub is going subscription-only in the near or mid-term future. Will we repeat the same mistakes?
kylegalbraith
As someone mentioned, GitHub has something to prevent this, but it's unclear (or at least undocumented) what.
We at Depot [0] work around this by guaranteeing that a new runner brought online has a unique public IP address. Thus avoiding the need to login to Docker to pull anything.
Subsequently, we also do the same unique public IP address for our Docker image build product as well. Which helps with doing image builds where you're pulling from base images, etc.
MrBuddyCasino
OTOH, I don't understand by the big cloud platforms don't support caching, or at least make it easy. Azure pulling container dependencies on every build just feels rude.
InsomniacL
Is there any licence constraints?
I.e Docker terms of service restrict distribution in this way?
Is there any technical restraints?
I.e Docker specify no-cache
I expect Docker don't want their images cached and would want you to use their service and transform you in to a paying subscriber through limitations on free tier.
aragilar
Caching is called out on https://docs.docker.com/docker-hub/usage/manage/.
My feeling is the way the naming scheme was defined (and subsequent issues around modifying the default registry), docker wanted to try to lock people into using docker hub over allowing public mirrors to be set up easily. This failed, so they've needed to pivot somewhat to reduce their load.
mmbleh
These platforms do cache quite a bit. It's just that there is a very high volume of traffic and a lot of it does update pretty frequently (or has to check for updates)
MrBuddyCasino
Are you saying they cache transparently? Because I haven't seen that mentioned in the docs.
martypitt
Gitlab does this, and it works nicely
terminalbraid
Seconding, though it does require some setup at least for self-hosted. Gitlab also has a full container registry built in, so it's not difficult to pull the image you want, push it to gitlab, and reference that going forward.
hahn-kev
Yeah I don't get why I have to setup caching myself for this kind of thing. Like wouldn't it be more efficient to do it lower down in their infra anyway?
wkat4242
Yes rude and lazy on their part.
05
Just mirror what you need to ghcr, I guess..
chillaranand
I stumbled up on this issue recently while setting up GHA and switched to AWS ECR Gallery which doesn't have limits.
My blog post on the same at https://avilpage.com/2025/02/free-dockerhub-alternative-ecr-...
mdaniel
I can tell you with 100% certainty that ECR definitely has limits, just not "screw you" ones like the blog post. So, while I do think switching to public.aws.ecr/docker/library is awesome, one should not make that switch and then think "no more 429s for me!" because they can still happen. Even AWS is not unlimited at anything
cmeacham98
Disclaimer: I work for Amazon, but not on ECR or ECR Public.
The rate limit for unauthenticated pulls is 1/second/IP, source: https://docs.aws.amazon.com/general/latest/gr/ecr-public.htm...
bityard
This is using AWS ECR as a proxy to docker hub, correct?
Edit: Not exactly, it looks like ECR mirrors docker-library (a.k.a. images on docker hub no preceded by a namespace), not all of Docker Hub.
Edit 2: I think the example you give there is misleading, as Ubuntu has its own namespace in ECR. If you want to highlight that ECR mirrors docker-library, a more appropriate example might be `docker pull public.ecr.aws/docker/library/ubuntu`.
hereonout2
Weirdly we just this week came across docker hub limiting our pulls from a CI job in AWS.
Not something we'd encountered before but seems earlier than these changes are meant to come into effect.
We've cloned the base image into ECR now and are deriving from there. This is all for internal authenticated stuff though.
SOLAR_FIELDS
The way I figured out this was going on is that the organization I work at MITM’s non allowlisted endpoints. We started having engineers randomly fail for pulling from dockerhub proxying to Cloudflare R2 under the hood. After a while of scratching our heads I thought to check dockerhub and here was the news. Builds failing like this is because many prominent projects are now changing under the hood the storage location. I can say with reasonable confidence a lot of prominent projects have moved already. Notably the Python base image was moved to Cloudflare R2 sometime yesterday which caused all manner of fun breakages before we implemented a fix
We fixed the problem by using a pull through registry
pronik
In case someone from Gitlab is watching: there is a long-standing issue that Gitlab Dependency Proxy does not work with containerd rewriting (https://gitlab.com/gitlab-org/gitlab/-/issues/350485), making it impossible to use as a generic Docker Hub mirror.
Can't believe the sense of entitlement in this thread. I guess people think bandwidth grows on trees.
For residential usage, unless you're in an apartment tower where all your neighbors are software engineers and you're all behind a CGNAT, you can still do a pull here and there for learning and other hobbyist purposes, which for Docker is a marketing expense to encourage uptake in commercial settings.
If you're in an office, you have an employer, and you're using the registry for commercial purposes, you should be paying to help keep your dependencies running. If you don't expect your power plant to give you electricity for free, why would you expect a commercial company to give you containers for free?