From d0b06df9eea27bd9ea165b10e5451aa002e7d54c Mon Sep 17 00:00:00 2001 From: Craig Date: Mon, 27 Jan 2025 09:48:09 -0800 Subject: [PATCH 1/3] hub: clarify ipv6 abuse rate limiting Signed-off-by: Craig --- content/manuals/docker-hub/usage/_index.md | 8 ++++---- content/manuals/docker-hub/usage/pulls.md | 21 +++++++++++++++++++-- 2 files changed, 23 insertions(+), 6 deletions(-) diff --git a/content/manuals/docker-hub/usage/_index.md b/content/manuals/docker-hub/usage/_index.md index b3321494a6e0..16f0c26a326c 100644 --- a/content/manuals/docker-hub/usage/_index.md +++ b/content/manuals/docker-hub/usage/_index.md @@ -45,10 +45,10 @@ exhibiting excessive data and storage consumption. Docker Hub has an abuse rate limit to protect the application and infrastructure. This limit applies to all requests to Hub properties including -web pages, APIs, and image pulls. The limit is applied per-IP, and while the -limit changes over time depending on load and other factors, it's in the order -of thousands of requests per minute. The abuse limit applies to all users -equally regardless of account level. +web pages, APIs, and image pulls. The limit is applied per IPv4 address or per +IPv6 /64 subnet, and while the limit changes over time depending on load and +other factors, it's in the order of thousands of requests per minute. The abuse +limit applies to all users equally regardless of account level. You can differentiate between the pull rate limit and abuse rate limit by looking at the error code. The abuse limit returns a simple `429 Too Many diff --git a/content/manuals/docker-hub/usage/pulls.md b/content/manuals/docker-hub/usage/pulls.md index b201c80aa1e8..c398cc6b7d90 100644 --- a/content/manuals/docker-hub/usage/pulls.md +++ b/content/manuals/docker-hub/usage/pulls.md @@ -133,6 +133,23 @@ If you're using any third-party platforms, follow your provider’s instructions - [LayerCI](https://layerci.com/docs/advanced-workflows#logging-in-to-docker) - [TeamCity](https://www.jetbrains.com/help/teamcity/integrating-teamcity-with-docker.html#Conforming+with+Docker+download+rate+limits) +## Rate limiting on third-party platforms + +When pulling images via a third-party platform, the platform may use the same +IPv4 address or IPv6 /64 subnet to pull images for multiple users. Even if you +are authenticated, pulls attributed to a single IPv4 address or IPv6 /64 subnet +may cause [abuse rate limiting](./_index.md#abuse-rate-limit). + +This issue is more common when using IPv6. To workaround the issue, you can +disable IPv6 in the Docker daemon. Use the following to disable IPv6 in Docker Engine or +Docker Desktop. + - Docker Engine: Add the `"ipv6": false` key and value in your + [`daemon.json` +file](/reference/cli/dockerd/#daemon-configuration-file). Restart Docker after + modifying the configuration. + - Docker Desktop: Add the `"ipv6": false` key and value in your [Docker Engine settings](/manuals/desktop/settings-and-maintenance/settings.md#docker-engine). Restart Docker after modifying the + configuration. + ## View monthly pulls and included usage You can view your monthly pulls on the [Usage page](https://hub.docker.com/usage/pulls) in Docker Hub. @@ -153,7 +170,6 @@ separated file with the following detailed information. | `version_checks` | The number of version checks accumulated for the date and hour of each image repository. Depending on the client, a pull can do a version check to verify the existence of an image or tag without downloading it. | This helps identify the frequency of version checks, which you can use to analyze usage trends and potential unexpected behaviors. | | `pulls` | The number of pulls accumulated for the date and hour of each image repository. | This helps identify the frequency of repository pulls, which you can use to analyze usage trends and potential unexpected behaviors. | - ## View hourly pull rate and limit The pull rate limit is calculated on a per hour basis. There is no pull rate @@ -215,4 +231,5 @@ To view your current pull rate and limit: is unlimited in partnership with a publisher, provider, or an open source organization. It could also mean that the user you are pulling as is part of a paid Docker plan. Pulling that image won't count toward pull rate limits if you - don't see these headers. \ No newline at end of file + don't see these headers. + From 46e7bc5c688300ef6508b4fbef931556cb82030f Mon Sep 17 00:00:00 2001 From: Craig Date: Mon, 27 Jan 2025 12:07:09 -0800 Subject: [PATCH 2/3] update ipv6 pull limit for unauthenticated Signed-off-by: Craig --- content/manuals/docker-hub/usage/_index.md | 14 +++++++------- content/manuals/docker-hub/usage/pulls.md | 14 +++++++------- 2 files changed, 14 insertions(+), 14 deletions(-) diff --git a/content/manuals/docker-hub/usage/_index.md b/content/manuals/docker-hub/usage/_index.md index 16f0c26a326c..0c6bc437263b 100644 --- a/content/manuals/docker-hub/usage/_index.md +++ b/content/manuals/docker-hub/usage/_index.md @@ -20,13 +20,13 @@ The following table provides an overview of the included usage and limits for ea user type, subject to fair use: -| User type | Pulls per month | Pull rate limit per hour | Public repositories | Public repository storage | Private repositories | Private repository storage | -|--------------------------|-----------------|--------------------------|---------------------|---------------------------|----------------------|----------------------------| -| Business (authenticated) | 1M | Unlimited | Unlimited | Unlimited | Unlimited | Up to 500 GB | -| Team (authenticated) | 100K | Unlimited | Unlimited | Unlimited | Unlimited | Up to 50 GB | -| Pro (authenticated) | 25K | Unlimited | Unlimited | Unlimited | Unlimited | Up to 5 GB | -| Personal (authenticated) | Not applicable | 40 | Unlimited | Unlimited | Up to 1 | Up to 2 GB | -| Unauthenticated users | Not applicable | 10 per IP address | Not applicable | Not applicable | Not applicable | Not applicable | +| User type | Pulls per month | Pull rate limit per hour | Public repositories | Public repository storage | Private repositories | Private repository storage | +|--------------------------|-----------------|----------------------------------------|---------------------|---------------------------|----------------------|----------------------------| +| Business (authenticated) | 1M | Unlimited | Unlimited | Unlimited | Unlimited | Up to 500 GB | +| Team (authenticated) | 100K | Unlimited | Unlimited | Unlimited | Unlimited | Up to 50 GB | +| Pro (authenticated) | 25K | Unlimited | Unlimited | Unlimited | Unlimited | Up to 5 GB | +| Personal (authenticated) | Not applicable | 40 | Unlimited | Unlimited | Up to 1 | Up to 2 GB | +| Unauthenticated users | Not applicable | 10 per IPv4 address or IPv6 /64 subnet | Not applicable | Not applicable | Not applicable | Not applicable | For more details, see the following: diff --git a/content/manuals/docker-hub/usage/pulls.md b/content/manuals/docker-hub/usage/pulls.md index c398cc6b7d90..1182513626dd 100644 --- a/content/manuals/docker-hub/usage/pulls.md +++ b/content/manuals/docker-hub/usage/pulls.md @@ -23,13 +23,13 @@ The following pull usage and limits apply based on your subscription, subject to fair use: -| User type | Pulls per month | Pull rate limit per hour | -|--------------------------|-----------------|--------------------------| -| Business (authenticated) | 1M | Unlimited | -| Team (authenticated) | 100K | Unlimited | -| Pro (authenticated) | 25K | Unlimited | -| Personal (authenticated) | Not applicable | 40 | -| Unauthenticated Users | Not applicable | 10 per IP address | +| User type | Pulls per month | Pull rate limit per hour | +|--------------------------|-----------------|----------------------------------------| +| Business (authenticated) | 1M | Unlimited | +| Team (authenticated) | 100K | Unlimited | +| Pro (authenticated) | 25K | Unlimited | +| Personal (authenticated) | Not applicable | 40 | +| Unauthenticated Users | Not applicable | 10 per IPv4 address or IPv6 /64 subnet | ## Pull definition From ca05eca89fe57b2b7d761ad33f6abb098a2fcae2 Mon Sep 17 00:00:00 2001 From: Craig Date: Fri, 31 Jan 2025 11:26:41 -0800 Subject: [PATCH 3/3] remove workaround Signed-off-by: Craig --- content/manuals/docker-hub/usage/pulls.md | 24 +++++++---------------- 1 file changed, 7 insertions(+), 17 deletions(-) diff --git a/content/manuals/docker-hub/usage/pulls.md b/content/manuals/docker-hub/usage/pulls.md index 1182513626dd..a652bcb1276a 100644 --- a/content/manuals/docker-hub/usage/pulls.md +++ b/content/manuals/docker-hub/usage/pulls.md @@ -121,6 +121,13 @@ for information on authentication. If you're using any third-party platforms, follow your provider’s instructions on using registry authentication. +> [!NOTE] +> +> When pulling images via a third-party platform, the platform may use the same +> IPv4 address or IPv6 /64 subnet to pull images for multiple users. Even if you +> are authenticated, pulls attributed to a single IPv4 address or IPv6 /64 subnet +> may cause [abuse rate limiting](./_index.md#abuse-rate-limit). + - [Artifactory](https://www.jfrog.com/confluence/display/JFROG/Advanced+Settings#AdvancedSettings-RemoteCredentials) - [AWS CodeBuild](https://aws.amazon.com/blogs/devops/how-to-use-docker-images-from-a-private-registry-in-aws-codebuild-for-your-build-environment/) - [AWS ECS/Fargate](https://docs.aws.amazon.com/AmazonECS/latest/developerguide/private-auth.html) @@ -133,23 +140,6 @@ If you're using any third-party platforms, follow your provider’s instructions - [LayerCI](https://layerci.com/docs/advanced-workflows#logging-in-to-docker) - [TeamCity](https://www.jetbrains.com/help/teamcity/integrating-teamcity-with-docker.html#Conforming+with+Docker+download+rate+limits) -## Rate limiting on third-party platforms - -When pulling images via a third-party platform, the platform may use the same -IPv4 address or IPv6 /64 subnet to pull images for multiple users. Even if you -are authenticated, pulls attributed to a single IPv4 address or IPv6 /64 subnet -may cause [abuse rate limiting](./_index.md#abuse-rate-limit). - -This issue is more common when using IPv6. To workaround the issue, you can -disable IPv6 in the Docker daemon. Use the following to disable IPv6 in Docker Engine or -Docker Desktop. - - Docker Engine: Add the `"ipv6": false` key and value in your - [`daemon.json` -file](/reference/cli/dockerd/#daemon-configuration-file). Restart Docker after - modifying the configuration. - - Docker Desktop: Add the `"ipv6": false` key and value in your [Docker Engine settings](/manuals/desktop/settings-and-maintenance/settings.md#docker-engine). Restart Docker after modifying the - configuration. - ## View monthly pulls and included usage You can view your monthly pulls on the [Usage page](https://hub.docker.com/usage/pulls) in Docker Hub.