keel icon indicating copy to clipboard operation
keel copied to clipboard

Published 20 hours ago verified publisher icon keel-hq

New Docker Hub rate limit & polling issue

Open shinebayar-g opened this issue 4 years ago • 11 comments

Recently Docker Hub implemented rate limiting policy:

image

Thus makes Keel's poll policy ineffective. I guess right now keel polls are counting towards this rate limit quota, because it's incrementing download counter of image. Is there any work around to this issue? I noticed that if I already downloaded that image using docker pull command it doesn't increment download counter on second pull.

downloading new image

✗ docker pull busybox
Using default tag: latest
latest: Pulling from library/busybox
Digest: sha256:4f47c01fa91355af2865ac10fef5bf6ec9c7f42ad2321377c21e844427972977
Status: Downloaded newer image for busybox:latest
docker.io/library/busybox:latest

since we've newest image, it doesn't increment download counter on docker hub.

✗ docker pull busybox               
Using default tag: latest
latest: Pulling from library/busybox
Digest: sha256:4f47c01fa91355af2865ac10fef5bf6ec9c7f42ad2321377c21e844427972977
Status: Image is up to date for busybox:latest
docker.io/library/busybox:latest

I guess if keel could able to use the same technique it could solve the rate limit issue. (Only guessing, because counter is not incrementing, doesn't guarantee we will not count towards quota.. Need to verify)

shinebayar-g avatar Aug 30 '20 06:08 shinebayar-g

I think there are two APIs - checksum and tags so yeah, need to check docker's distribution package to see maybe they have another API that doesn't use the limits.

rusenask avatar Sep 01 '20 09:09 rusenask

Huge +1 for opening this issue @shinebayar-g :) I hope we can do something to make polling usable on the long run without a quick ban of the external IP from DockerHub.

immanuelfodor avatar Sep 18 '20 10:09 immanuelfodor

I just want to add that this issue is actually time sensitive: the new rate limit policy will become effective in November.

sagikazarmark avatar Oct 09 '20 16:10 sagikazarmark

Actually It has been in effect over a month now. At least the rate limiting.

shinebayar-g avatar Oct 09 '20 16:10 shinebayar-g

Oh, didn't know that!

BTW found this: https://github.com/crazy-max/diun

Maybe it can provide a solution

sagikazarmark avatar Oct 09 '20 23:10 sagikazarmark

Oh, didn't know that!

BTW found this: https://github.com/crazy-max/diun

Maybe it can provide a solution

looking at the source it seems to be polling too

rusenask avatar Oct 10 '20 07:10 rusenask

Harbor Docker registry updated its docs to address the rate limiting: https://goharbor.io/docs/2.1.0/administration/configure-proxy-cache/

As of Harbor v2.1.1, Harbor proxy cache fires a HEAD request to determine whether any layer of a cached image has been updated in the Docker Hub registry. Using this method to check the target registry will not trigger the Docker Hub rate limiter. If any image layer was updated, the proxy cache will pull the new image, which will count towards the Docker Hub rate limiter.

Maybe this is what Keel should do, too.

immanuelfodor avatar Oct 31 '20 05:10 immanuelfodor

@rusenask

looking at the source it seems to be polling too

Yes but with HEAD request on manifest (since 4.8.0) which does not count on rate-limit ;)

crazy-max avatar Nov 18 '20 01:11 crazy-max

I'm getting this problem too you found something about that?

kfirfer avatar May 17 '23 00:05 kfirfer

Does this commit fixed the issue ?

kfirfer avatar May 17 '23 00:05 kfirfer

For me, HEADs are fine

immanuelfodor avatar May 17 '23 07:05 immanuelfodor