Docker Hub Rate Limits: Community Feedback & Questions

Overview

On April 1, 2025, Docker will implement new pull rate limits that will impact GitLab CI/CD pipelines:

• Unauthenticated users: 10 pulls per hour per IP address
• Personal accounts (authenticated): 100 pulls per hour
• Business/Team/Pro accounts: Unlimited pulls (fair use policy)

We've published a blog post detailing these changes and providing guidance on how to prepare your GitLab pipelines. This issue serves as a centralized place for questions, feedback, and sharing experiences related to these upcoming changes.

How to use this issue

• Questions: Ask specific questions about how the Docker Hub rate limits will affect your workflows
• Implementation feedback: Share your experience implementing the solutions described in our blog
• Challenges: Report any challenges you're facing when preparing for these changes
• Solutions: Share alternative solutions or workarounds you've discovered

Important resources

• Blog post
• GitLab Dependency Proxy Documentation
• Configure Docker Hub Credentials for Dependency Proxy
• Using Docker Images in GitLab CI/CD
• GitLab Container Registry
• Docker Hub Documentation on Rate Limits

Timeline

• Now: Implement authentication for Docker Hub pulls and configure GitLab Dependency Proxy
• April 1, 2025: Docker Hub rate limits go into effect
• April 17, 2025: GitLab 17.11 release with UI-based Dependency Proxy authentication support for self-managed instances

FAQ (We'll update this section based on your questions)

Q: Will GitLab-hosted runners be affected?
A: For job images defined in your .gitlab-ci.yml, we use Google Cloud's pull-through cache to avoid rate limits. However, images pulled within the runner environment (e.g., in Docker-in-Docker or Kaniko builds) will be affected.

Q: How do I know if I'm approaching rate limits?
A: Docker doesn't currently provide a way to check your current rate limit usage. We recommend implementing authentication and using GitLab's Dependency Proxy as a precaution.

Q: Does using the Dependency Proxy count as one pull from Docker Hub?
A: Yes, the first time an image is requested through the Dependency Proxy, it counts as one pull from Docker Hub. Subsequent pulls use the cached copy and don't count against your Docker Hub rate limit.

Q: How do I use Dependency Proxy or change the registry for CodeClimate-based Code Quality Scanning?
A: CodeClimate-based scanning uses Docker-in-Docker and pulls from Docker Hub by default. To keep rate limits from impacting your pipeline, you can change how images are downloaded.

Join the discussion

Please share your questions and feedback below. The GitLab team will be monitoring this issue and providing assistance.