New pull limits at Docker Hub – only 10 pulls per hour for some customers
From April, Docker Hub will only allow unauthenticated users ten pulls per hour. Personal accounts and dependent services will also be restricted.
(Image: erstellt mit Dall-E durch iX)
- Manuel Masiero
The online service Docker Hub is introducing hourly pull limits for certain account types from April 1. A limit of one hundred pulls per hour applies to personal accounts. Unauthenticated users will have to make do with ten pulls per hour, counting per IPv4 address or IPv6/64 subnet. Users with a Business, Team and Pro tariff are in the clear. There are no restrictions for them.
For GitLab developers, for example, the new limits are significant if their CI/CD pipelines fetch the images from Docker Hub without authentication. This means that the limit of ten pulls per hour applies. This limit is quickly reached for pipelines that are used in several projects or use the same runner infrastructure.
This is partially mitigated by GitLab's Hosted Runners, which cache the most frequently requested Docker Hub images in the Google Cloud. Images defined as image: or service: in the .gitlab-ci.yml file are therefore not affected by the pull limit. However, it can become problematic if the request is made within the runner environment. The image defined in Dockerfile is then obtained directly from Docker Hub and therefore falls under the pull limits.
GitLab 17.11 with authentication function for Docker Hub
To mitigate the effects of the tariff changes, GitLab will add a UI-based authentication function for Docker Hub to the dependency proxy. This allows the hourly pull limit to be increased to one hundred pulls, depending on the account type, or it can be removed completely. Details on the implementation can be found in the updated documentation. The authentication function will be introduced with GitLab 17.11, which is scheduled for release on April 17 (GitLab 17.10 is only a few days old).
In addition to using the dependency proxy, GitLab mentions other methods that developers can already use to counteract the pull limits. One is to integrate the login data for Docker Hub directly into the pipelines. This involves configuring the CI/CD variable DOCKER_AUTH_CONFIG accordingly. Using specific image tags instead of latest can also help to avoid unnecessary pulls.
Videos by heise
Furthermore, GitLab recommends adding frequently used Docker images to the GitLab Container Registry to avoid having to request them from Docker Hub during CI/CD runs. The pipelines must then be updated as follows.
docker pull busybox:latest docker tag busybox:latest $CI_REGISTRY_IMAGE/busybox:latest docker push $CI_REGISTRY_IMAGE/busybox:latest
The .gitlab-ci.yml file also needs the following update:
image: $CI_REGISTRY_IMAGE/busybox:latest
(olb)
