What Is The Issue?
The recent decision by Docker to severely rate limit anonymous pulls from Docker Hub may have an impact on the success of your builds on quay.io. If your image builds are relying on access to base images stored on Docker Hub, you may observe that some percentage of your Quay builds fail due to this new rate limiting.
When quay.io receives a build request through a trigger event, or directly through a Dockerfile upload, it schedules a build worker behind the scenes. Each of quay.io’s build workers perform that build within a sandbox virtual machine to ensure safety and full isolation across tenants on the platform. If the build process requests a base image from Docker Hub, that request will appear as an anonymous pull and be subjected by Docker’s rate limiting. Because quay.io runs many build workers on a single host, multiple requests to Docker Hub will all appear to come from the same IP address.
What Can Be Done?
The best defense against the Docker Hub rate limiting is to move any base images needed to quay.io directly. Quay.io does not restrict the number of public repositories for any user (either free or paid). In addition, quay.io does not restrict anonymous pulls against its repositories (either public or private) and only rate limits in the most severe circumstances to maintain service levels (e.g. tens of requests per second from the same IP address).