Did Dockerhub rate limit affect Github Action? #1445
Comments
Darleev
added
question
|
Hello @BrightRan , thank you for raising it. I have found the following Docker use-cases in GA (I could miss something): jobs:
my_first_job:
steps:
- run: docker pull alpine:3.11This use-case allow customers to do login by theirselves: steps:
- run: |
docker login --username ${{ secrets.docker_username }} --password ${{ secrets.docker_password }}
docker pull alpine:3.11jobs:
container:
runs-on: ubuntu-latest
container: node:10.16-jessie
steps:
- run: |
echo This job does specify a container.
echo It runs in the container instead of the VM.
name: Run in containerLooks like pull of such container is happening at the first step of pipeline and we can't login before somehow. jobs:
my_first_job:
runs-on: ubuntu-latest
steps:
- uses: docker://alpine:3.11this use case will be affected too steps:
- run: docker login
- uses: docker://alpine:3.11Container pull happens at the first step of the build before docker login jobs:
my_first_job:
runs-on: ubuntu-latest
steps:
- uses: my_custom_action_that_uses_docker_inside@v1In the first use-case, customer can overcome limit by login to docker as a first step of pipeline: DockerHub will use IP rate limit so our customers could be affected. I don't have much experience with docker so could be wrong, may be actions/runner team can help us to understand if there is a way to login in use-cases 2,3,4. cc: @hross , @ericsciple , @TingluoHuang |
|
@maxim-lobanov , |
|
@BrightRan , for 4 - yes. steps:
- run: docker login
- uses: docker://alpine:3.11
|
|
@maxim-lobanov , |
|
The great thing about this thread is... We are actually actively working on providing more native login capabilities in actions. See this ADR. This should make it easier for customers to set up authentication for scenarios @dakale is adjusting the syntax with @chrispat (today, actually). We should have this ready to go by the end of the month at the latest, which should mean better support before the docker limits are imposed. Hey @dakale can you add each of these examples to your ADR (1-4) and explain how they can be addressed with the new syntax? |
|
@hross , Happy to hear that we are working on feature that will fix the issue. |
|
I agree with the scenarios as described by @maxim-lobanov , I think it accurately reflects all the ways we support containers. This only affects For I should note that (due to my mistake), the link to the ADR @hross posted is out of date. We have iterated on it since, and the change is significant relative to this issue. Check the PR for the most up to date document: https://github.com/github/c2c-actions-runtime/pull/813/files That ADR, as currently designed, only solves I have no way to gauge what the impact of the rate limiting will be, since I dont know the range of IPs used for the hosted runner vms or how much of the available rate they might consume, but 100 per 6 hours is very very low. Its hard to make a judgement on whether its worth revising the ADR again to account for rate limiting, but I do think its worth considering given how low the limit is. |
|
We're also thinking about this in Azure Pipelines. We already have a technical solution for scenarios 2 and 3 (container resources can use a service connection for authentication). Most of our current usage is anonymous, though, so we'll have to help customers understand the impact and adapt. |
|
Judging from the ADRs being private, will GitHub users not get to see the syntax until it's out (and can't have breaking changes)? Since the rate limit would almost definetely affect users, would it be worth adding a deprecation notice once a fix is available eventually forcing all users to pull while being logged in? Could help solve problems before they arise if people new to GitHub Actions start using it and expect it to work without knowing about the limit or that public CIs don't get some kind of whitelist |
|
@nihaals the syntax is very simple as we are simply adding a credentials element to the |
|
I made what I think is a related feature request that may make it nicer to login with Actions which sounds like will work with the new syntax What do you think about the deprecation notice on unauthorised Docker Hub images? Probably blocked by finding out if official images are exempt and the new syntax |
|
As I understand it one scary and unresolved problem with (1) is going to be sharing Hub credentials with forked repos. Any solution that involves a Does the solution that's being worked on address this aspect? |
|
At the moment we do not have a solution to that particular problem but we are investigating options. |
|
After the latest GitHub update, you can specify credentials for container downloading: https://github.blog/changelog/2020-09-24-github-actions-private-registry-support-for-job-and-service-containers/ |
I read the blog post. The new feature, being able to authenticate with registries, looks like it will have the nice side effect of solving the rate limiting problem for job containers and service containers by allowing people to authenticate, which would stop them from being forced to share the rate limit pool with other GitHub Actions users. However, do you know whether it will work for Docker container actions? For example, from the docs (https://docs.github.com/en/free-pro-team@latest/actions/reference/workflow-syntax-for-github-actions#example-using-a-docker-hub-action): jobs:
my_first_job:
steps:
- name: My first step
uses: docker://alpine:3.8In this example, the image used for the Docker container action is being pulled by the GitHub Actions runner from Docker Hub. Because credentials aren't specified for the step, I'm assuming this is being done without authenticating with Docker Hub. The images used for Docker container actions must be public, which means people don't have to authenticate to use them, but if they choose not to authenticate as they use them, they'll be subject to the IP-based rate limiting, affected by other GitHub Actions users. Is this correct? |
|
@chrispat sorry to ask again, but it's getting worryingly close to November and, as far as I can tell, there's still no safe way for open source projects to use authenticated access to Docker Hub. Has there been any progress in finding a way for forks of repos to be able to inherit Docker Hub authentication from the original repo? |
|
For publicly accessible containers we are working with docker hub to make sure you will not be impacted by the new rate limits. If you need private containers we still do not have a solution for that problem for forks of public repos. |
|
Thank you @chrispat! As a maintainer of an open source project that uses public Docker images, that's really good news. |
@chrispat just to confirm, does this mean we will NOT need to add dockerhub auth to all of our jobs that pull public dockerhub images? |
|
That is correct. It is important to note that this will only apply to the runners hosted by GitHub, if you are using self-hosted runners you will need to configure your own credentials. |
|
Thank you for the confirmation! :) |
GHA are not rate limited by DockerHub [1] so we can remove these credentials [1] actions/runner-images#1445 (comment) Signed-off-by: André Martins <andre@cilium.io>
[ upstream commit 3162535 ] GHA are not rate limited by DockerHub [1] so we can remove these credentials [1] actions/runner-images#1445 (comment) Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com>
[ upstream commit 3162535 ] GHA are not rate limited by DockerHub [1] so we can remove these credentials [1] actions/runner-images#1445 (comment) Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com>
[ upstream commit 3162535 ] GHA are not rate limited by DockerHub [1] so we can remove these credentials [1] actions/runner-images#1445 (comment) Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Maciej Kwiek <maciej@isovalent.com>
[ upstream commit 3162535 ] GHA are not rate limited by DockerHub [1] so we can remove these credentials [1] actions/runner-images#1445 (comment) Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com>
[ upstream commit 3162535 ] GHA are not rate limited by DockerHub [1] so we can remove these credentials [1] actions/runner-images#1445 (comment) Signed-off-by: André Martins <andre@cilium.io> Signed-off-by: Glib Smaga <code@gsmaga.com>
So we still don't know what the exact agreement terms are but for at least public repos, anonymous pulls from github don't seem to hit any rate limit anymore. I'm guessing some caching is also happening because why would it not. But rate limits are not the end of the story. I found this FAQ https://forums.docker.com/t/automated-docker-pulls-from-github-hosted-runner-which-organization-must-pay/116095
This does not say anything about rate limits, it merely says "automated agent". Who is the "automated agent"? Github or the open-source project using github to docker pull anonymously? |
|
I think the issue with rate limit has landed again, has the agreement between GitHub and Docker been terminated or what has happened? The problem would be easy to solve if I could do docker login before the docker build happens but as the build will happen before any steps in the workflow (or the composite action) are executed, it is not possible. Is there already some solution for this kind of case, or should the agreement of Docker Hub not limiting pulls from GitHub runners (which I have been using) for an anonymous user be still in force? I could also use our company's self-hosted runners but it will not remove the issue because there are so many docker pulls to Docker Hub from our company's IP also that the limits are reached (tried that). I could even use our company's own Docker Hub registry cache (by adding the cache host to the action's Dockerfile, before the image name) but that would require me to login to the cache registry before the docker image build, and we are back in the issue of not being able to have any login step before the Docker based action image build. |
|
Some projects like this one publish their images to https://ghcr.io too: https://github.com/zephyrproject-rtos/docker-image/blob/1a0e3737905/README.md Given that choice, we switched from docker.io to ghcr.io for that particular image. Interestingly, we didn't observe any speedup but we (naively?) hope this will avoid all rate limiting issues now and in the future. |
|
@marc-hb Do you have some Docker(file) based actions (https://docs.github.com/en/actions/creating-actions/creating-a-docker-container-action) which are using base images from a ghrc.io or some other private Docker registry? How are you able to login to the registry before the action is built in the workflow since none of the steps in the workflow run before the base image is tried to be pulled? |
We don't login, that's why we switched to the ghcr.io mirror of that particular image. I have never set up a ghcr.io mirror myself but I assumed it's not rocket science if you're already publishing images somewhere and an alternative worth mentioning. |
|
Ok, didn't know that it is possible to pull images from a ghcr.io mirror without any login on GitHub runners but now I know. The issue is just that the base image in the Dockerfile is an official openjdk image which I was not able to find being available in ghcr.io. And, even though it is of course always possible to set up an own user for container registry, it is even more challenging than rocket science to make that happen in such a big and stiff corporation I am working for. |
https://qiita.com/tippy/items/2972b01ff484616bf6ed 追記に書いてあるが、以下の Issue のコメントによれば GitHub Actions では制限を受けないらしいのでメモ。 actions/runner-images#1445 (comment) Co-authored-by: Moriya Hiroyuki <mryhryki@gmail.com>
@ssallmen-pro |
|
I'm also seeing this today. Did anything change? |
|
@SvetaSR @chancez |
and others
Associated community ticket: https://github.community/t/did-dockerhub-rate-limit-affect-github-action/128158
The customer noticed that Docker hub has updated their pricing, Download rate limit and retention policy recently. He is wondering if the download rate limit affects on Github Action.
Will the steps like below are affected?
According to the introductions from the docs about "Download rate limit", the limit seems only applies for the anonymous users with an eventual limit of 100 pulls per six hours. Logged in users will not be affected at this time.
I setup a workflow with the following step that pull an image 101 times in a loop.
It can successfully download the image 101 times without any warning or error messages about the download rate limit.
Note: Consider there may be image cache, I have used the "docker image rm" command to remove the image every time before downloading it again.
Question:
When we try to pull some public images in the workflow, if we do not login with any of our accounts, whether GitHub has a default account to login the docker?
If not, in my above example, why it is not hit the download rate limit?
The text was updated successfully, but these errors were encountered: