Sep 19, 2020

The End of an Era for Public Container Image Registries

With the recent changes made to the Docker Terms of Service, image pulls from Docker Hub issues by unauthorized clients and users of the free pricing tier will be rate-limited. This essentially means you can perform 100 (or 200) pulls every 6 hours, after which you'll receive rate-limiting errors.

While explicitly stated that cases like CI systems will be unblocked for now, if you're using any shared infrastructure that interacts with Docker Hub in some way, you should make sure your Docker client runs authorized to prevent any noisy neighbour from affecting your deployment.

At Hygraph, we noticed this change when our internal CI pipelines related to building service container images started to fail increasingly often. During further investigations, we found that our CI jobs were getting rate-limited, and we had to repeat the failed builds. We run a high number of build jobs every day, and each of those jobs could run on shared infrastructure, so IP-based rate-limiting as enforced by Docker Hub is a risk to our operations.

To add some context, in most cases, we only consume container images from Docker Hub for development as well as build purposes, and luckily not for the final deployment, as pushing images includes all layers including the base image along with all dependencies, meaning our deployments continued working just fine.

And still, this marks a spot in the way we consume images from public registries such as Docker Hub, leading us to change internal policies and processes to make sure we're depending less on public image registries.

It would seem the times of writing Dockerfiles starting with FROM node:14-alpine or FROM golang:1.15-alpine are over, figuratively speaking.