How I handled “Pull Limit Reached” from Docker?
Starting Nov 2020 Docker has announced that they would enforce a limit on container pulls for their free and anonymous users. To get more specific, it is the end goal of Docker to restrict anonymous users to 100 container pulls per six hours. More info here
Since then I have been facing this error occasionally in my builds (AWS CodeBuild) although I have not done 100 builds in the last six hours. Since this is anonymous access, I could only imagine that the limit has been reached by AWS CodeBuild in general and not specifically by my application.
Despite the choice of your CI tool, may it be CodeBuild, Jenkins or anything that pulls Docker Containers for the Build Environment, this could be a real blocker for the Development teams.
Solution
AWS offers ECR service where Docker images can be pushed. In the past, I used it mostly to push my custom-built images which were built upon the public images when the anonymous/free usage had no limits. Since there is no pull limit from ECR Repo to CodeBuild, I can do it any number of times.
It is also important to mention that private repo usage is added to the billing and pushing the publicly available DockerHub images to AWS private repos, thus end up paying AWS is not also the ideal case.
To tackle this, I created a public registry where I push publicly available images and push my custom built images, may it be packaged application code, images with custom SSL certificates etc into my private registry.
There are a lot of public repositories already published but none of them are official (as of now). This is the primary reason for me to create my own rather than reusing them.
How to create a public registry?
Create a Repo and make it public. By default each AWS account is given a Alias.
This is to be done for each image that you would like to push. In my case it is maven and openjdk. After the repo creation, the images should be pushed into them.
The push commands are shown for each repo. This can be done from your local PC with Docker and AWS CLI configured. However, I did not want to do this and used CodeBuild to do it for me.
I created it using the following CloudFormation script
As soon as the CodeBuild Project is created, the build has to be manually started and you will have your images pushed in a few minutes. You may as well change the BuildSpec from the console whenever you need a different image.
Please note that the region mentioned in this line should not be changed. It does not depict the region that you use but the region where the authentication is done.
aws ecr-public get-login-password --region us-east-1 | docker login --username AWS --password-stdin public.ecr.aws/$MY_REGISTRY_ALIASNow that these images are public, I tweaked my build configuration for my applications to pull my public images and not from DockerHub.
docker build -t $PRIVATE_REGISTRY/backend-app:latest \
--build-arg PUBLIC_REGISTRY=public.ecr.aws/$MY_REGISTRY_ALIAS \
.
docker push $PRIVATE_REGISTRY/backend-app:latestMy Dockerfile looks like this now
# Build
# Value of PUBLIC_REGISTRY gets overridden by the variable provided with the build command
ARG PUBLIC_REGISTRY=docker.io
FROM ${PUBLIC_REGISTRY}/maven:3.6.3-jdk-11 AS build
COPY src /home/app/src
COPY pom.xml /home/app
RUN mvn -f /home/app/pom.xml clean package
# Package
FROM ${PUBLIC_REGISTRY}/openjdk:11-jre-slim
COPY --from=build /home/app/target/backend-app.jar backend-app.jar
EXPOSE 8080
ENTRYPOINT ["java", "-jar", "backend-app.jar"]Until I come up with another idea: Clap on, Comment, Share and Follow.
Happy Coding!
👋 Join FAUN today and receive similar stories each week in your inbox! ️ Get your weekly dose of the must-read tech stories, news, and tutorials.
Follow us on Twitter 🐦 and Facebook 👥 and Instagram 📷 and join our Facebook and Linkedin Groups 💬
