Docker hub throttling

Docker hub throttling DEFAULT

How to work around Docker&#;s new download rate limit on Red Hat OpenShift

Have you recently tried running on Red Hat OpenShift and received a similar error message to the one below?

W dockerimagelookup.go] container image registry lookup failed: toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading:

If so, you do not need to upgrade your Docker account to a paid one. Instead, you can use a secret to pull your images as an authenticated Docker Hub user.

Docker's new rate limit

Docker recently changed its policy for downloading images as an anonymous user. The company now has a limit of downloads every six hours from a single IP address.

If you are using the OpenShift Developer Sandbox to experiment with a free OpenShift cluster, like I was recently, then you might encounter the error message shown in Figure 1.

You might receive this error message after trying to create a new application with the command or from the user interface (UI). The issue is that many users are using the same cluster at the same time. Whenever someone tries to create a new application from a Docker image, the cluster downloads the image as an anonymous user, which counts toward the new rate limit. Eventually, the limit is reached, and the error message pops up.

Fortunately, the workaround is easy.

Authenticate to your Docker Hub account

All you have to do to avoid Docker's new rate-limit error is authenticate to your Docker Hub account. After you've authenticated to the account, you won't be pulling the image as an anonymous user but as an authenticated user. The image download will count against your personal limit of downloads per six hours instead of the downloads shared across all anonymous cluster users.

You can use the following command to authenticate:

$ oc create secret docker-registry docker --docker-username=<username> --docker-password=<password> --docker-email=<email> $ oc secrets link default docker --for=pull $ oc new-app <username>/<image> --source-secret=docker

Note that it is recommended that you use an access token here instead of your actual password. Using an access token is also the only way to authenticate if you have two-factor authentication set up on your account.

If you prefer to use the UI, as I do, click Create an image pull secret, as shown in Figure 2.

Either way, you can quickly create an image pull secret, authenticate to your Docker Hub account, and get back to experimenting in the OpenShift Developer Sandbox.


Docker's new download rate limit has caught a few of us by surprise, but the workaround is easy. This article showed you how to use a secret to pull your images as an authenticated Docker Hub user. Once you've done that, you will be able to download images without hitting the rate limit error.

Last updated: February 17,

Earlier this year, Docker announced that it would be implementing new restrictions on the use of its Docker Hub container image repository. The move was necessary to manage outlying use cases that go beyond what it is willing to continue providing as a free service, the company claimed.

At the time, those limitations dealt with the storage of images for extended periods of time that were left idle, and the rate-limiting of image pulls, and both were to be enacted on November 2nd. While the limitation regarding idle repositories was delayed, the pull rate-limiting went into effect earlier this month, putting limits on anonymous and free tier users of and image pulls per six hours, respectively. Paid users, however, enjoy unlimited image pulls.

&#;We&#;ve got now more than 12 million developers on there, but what we discovered was that an extremely small percentage were making very, very heavy use of the Hub. And so, as part of this, we looked at that and we said, we&#;ve got to make sure that this is sustainable, really, for both sides,&#; said Donnie Berkholz, vice president of products at Docker, in an interview. &#;It affects a very small percentage, on the order of % or less of the user base, and so there&#;s a lot of noise out there, but I think it&#;s important to emphasize that we&#;re talking about more than 98% of our users that see no effect and keep on as they were, happily using Docker Hub.&#;

According to Berkholz, the company had found that this very small percentage of users were actually responsible for 30 percent of Docker Hub&#;s traffic.

&#;You can&#;t keep the unlimited, all-you-can-eat buffet going forever for everybody. You&#;ve got to figure out how you get to a point where people can take the right amount of portions. When we worked through that, we wanted to make sure that, for the vast majority of developers, they would never see this, they would never run into it,&#; explained Berkholz. &#;For a small population of users who are making extremely heavy use, those are the ones where we want to make sure that we&#;re able to provide them with value and make sure that we&#;re able to bring them into a place where we understand their use cases, and we&#;re able to provide for those use cases.&#;

Nonetheless, several companies have addressed the changes with blog posts on the topic offering their own solutions for developers, and OpenFaas founder Alex Ellis says that the issue is one many users, especially those running Kubernetes, need to prepare for now rather than later.

&#;I think a lot of people are sort of complacent about it, or they haven&#;t hit the issues that they&#;re going to hit yet. When you think about CI products, they&#;re using shared IP addresses for all of the activities on those nodes,&#; said Ellis.

In a blog post detailing how to prepare for Docker Hub rate limits, Ellis writes that &#;Kubernetes users will be most affected since it’s very common to push and pull images during development many times with each revision of a container. Even bootstrapping a cluster with 10 nodes, each of which needs 10 containers just for its control-plane and could exhaust the unauthenticated limit before you’ve even started getting to the real work.&#;

&#;It&#;s not a problem to pay. It&#;s a problem in that those rate limits, like if it had been 1, to 5,, per six hours, we probably all would have got on absolutely fine, paid them and got our registry secrets in where we needed them.&#; &#; Alex Ellis

Of course, it is for exactly these scenarios where many users are using the same IP address or a particular workflow causes a number of image pulls beyond current rate limits where Docker urges users to get a paid account. For individual users, the subscription is $5 per month, while team subscriptions start at $25 for five users per month. Even for those who pay, however, Ellis contends that the new limits will put a bit of undue burden on novice Kubernetes users.

&#;For Kubernetes learners, whichever solution you go for (including paying for a Docker Hub account), this is going to be an additional step,&#; writes Ellis. &#;The learning curve is steep enough already, but now rather than installing Kubernetes and getting on with things, a suitable workaround will need to be deployed on every new cluster.&#;

For those users looking to circumnavigate the new limits, Ellis offers a number of solutions, including hosting a local mirror of Docker Hub, using a public mirror of Docker Hub, publishing your own images to another registry, and, if still using Docker Hub, then configuring an image pull secret to authenticate with Docker and either receive the bumped up rate limit or unlimited pulls with a paid account.

To that end, Ellis has created registry-creds, an open source operator that can be used to propagate a single ImagePullSecret to all namespaces within your cluster, so that images can be pulled with authentication and to make it easier for users of Kubernetes to consume images from Docker Hub. While the tool is intended to &#;ease the every-day lives of developers and new-comers to Kubernetes,&#; he also suggests using something like Argo, Flux, or Terraform for managing secrets across namespaces in production.

In terms of alternatives, there are several, though each should be considered according to their own terms and limitations. Currently, GitHub offers unlimited pulls of public images at its GitHub Container Registry, Google offers cached Docker Hub images on its own mirrors, and AWS offers private hosting for mirroring and says it plans to launch a public container registry &#;within weeks.&#; VMWare, meanwhile, contends that Harbor &#;can help you mitigate the effects of the upcoming Docker Hub limits via both replication capabilities and a proxy cache feature,&#; and GitLab has offered a guide to its users on how to &#;reduce the number of calls to DockerHub from your CI/CD infrastructure&#;, as well as open sourced its Dependency Proxy, which will be free for GitLab Core users to &#;for proxying and caching images from Docker Hub or packages from any of the supported public repositories&#; as of November 22,

Some users who might feel the effects of these rate limit changes most acutely are open source projects, which are often already strapped for both cash and time, and Docker has offered unlimited image pulls for those projects that qualify. Requirements include that all the repos within the publisher’s Docker namespace must meet the Open Source Initiative&#;s (OSI) definition of &#;open source,&#; distribute images under OSI approved open source license, and be &#;public and non-commercial.&#; Projects have to submit an application yearly and for those approved there is a list of &#;joint promotional programs&#; they must commit to participating in, including &#;blogs, webinars, solutions briefs and other collateral.&#;

Berkholz contends that the requirements are reasonable and add up to a quid pro quo of value for all involved.

&#;Hopefully, it&#;s not too much to ask that, as we&#;re providing them things for free on our behalf, because we care about sustaining that community, that we&#;re able to make that something that makes a lot of sense for everybody involved and not go over the top and asking people to come out here and write 70 blog posts and do a webinar every week or anything,&#; said Berkholz. &#;We&#;re able to take the kinds of things that we&#;re trying to make available to help out the open source community, and get a little bit of that benefit ourselves and make it a fair trade of value, because that&#;s what&#;s going to enable the sustainability of that program on our end.&#;

For Ellis, the open source requirements, much like the rate limits themselves, appear a touch too aggressive, and he fears that the end result won&#;t be that Docker gets paid — which he encourages all to do — but rather that the entire affair will end in fragmentation.

&#;The end result is going to be a lot of fragmented solutions. Just like we had 20 serverless projects in the CNCF landscape, and then a few died out, we&#;re going to get the same thing; everyone&#;s going to be building the public container registry, everyone&#;s going to be trying to solve this problem and get a portion of those customers,&#; said Ellis. &#;Where it&#;s really going to affect people is the developer experience. If you&#;re a new developer trying to learn Kubernetes, it&#;s going to cause friction for you.&#;

The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker.

  1. Simulator shifter
  2. Custom life size plush
  3. Usps eap reviews

Things shifted slightly in the Cloud Native world recently, when the Docker Hub turned on rate limiting. If you run a Kubernetes cluster, or make extensive use of Docker images, this is something you need to be aware of as it could cause outages. In particular, if you are suddenly finding a lot of Kubernetes pods failing with and event messages like:

Then you’ve probably been hit by the rate limiting. Essentially, in order to control costs, the Docker Hub now controls the speed at which image pulls can be made. The rules are:

  • Anonymous users can pull images in six hours.
  • Authenticated users can pull images in six hours.
  • Paid users are not limited.
  • One pull = one GET request for a manifest (GETs of image layers do not count).

Identifying Images from Docker Hub

Large clusters and CI/CD platforms that use the Hub are likely to hit these limits—in these situations you are likely to have multiple nodes pulling from the same IP address (or what appears to the Hub as the same address). 

The first thing you might want to do is find out what images from the Docker Hub you’re using. Remember that the Docker Hub controls the ‘default namespace’ for container images, so it’s not always obvious where images come from. 

If you run the following on a Kubernetes cluster, it should identify all images from the Docker Hub that use the normal naming convention:

This won’t identify images that explicitly reference the Docker Hub— i.e., images like . You can find these with the rather simpler expression:

Solving the Problem

So what’s the best way to solve this problem? It will depend on how quick you need to get this sorted, but your options are:

Pay for Docker Hub licenses. It’s not expensive, but Docker pricing is per team member, which can be a little confusing when what you actually want to license is a cluster of Kubernetes nodes. To make sure you’re in the clear here, opt for the team membership unless it’s a very small cluster. 

To use the new credentials, you will need to add image pull secrets to your deployments. Note that image pull secrets can be added to the default service account, so you don’t have to manually update every deployment.

  • Set up the Docker Registry (part of Docker Distribution) as a pull through cache or mirror. This used to be a popular solution and should ensure your cluster is only pulling each image once. Unfortunately, it isn’t that easy to do and requires configuration changes to each node, so the best approach is dependent on how you installed and manage Kubernetes.
    Be aware that the registry will delete cached images after seven days. Several clouds also run their own Docker mirrors, which avoid the need to run your own registry instance (but still require configuration).
  • Install Trow (or another registry with proxy support) and configure as a proxy-cache. Trow has a --proxy-docker-hub argument, which will configure it to automatically fetch any repos under f/docker from the Docker Hub e.g. docker pull my-trow.myorg/f/docker/redis:latest will pull the redis:latest image from the Docker Hub and cache it in the Trow registry. This solution will require updating image names to reference the Trow registry, but doesn’t require any images to be moved manually.
  • Switch all your images to point to a different registry. For example, you could install a local registry on your cluster and mandate that all images must come from the registry. This sounds like a lot of work, but it is arguably the most sustainable, maintainable, and secure way forward. With regards to enforcing the registry choice, this can be done with an Admission Controller (which can be installed with Trow) or Open Policy Agent. 

It’s worth pointing out that most of these aren’t mutually exclusive—you can pay for the Docker Hub to get you out of a bind, then move to a solution that uses both of the final two options. 

In the long run, I would recommend that most clusters should be set up with their own registry and the cluster should only be allowed to run images from that registry. Any third-party images, such as Docker official images, can be proxy-cached. 

This will provide a fall-back in the case of remote outages: As well as having a local copy that can be used, the registry also provides a place where new images can be pushed, allowing updates to still take place when the remote registry can’t be reached. In a lot of cases it may be worth taking this further and ‘gating’ all third-party content to protect against bad upstream content. In this set-up, images are tested and verified before being added to the organisational registry. 

To give an example of where this helps, imagine a bad image is pushed to the nginx repo on Docker Hub (see this NodeJS Docker issue for a real world example). If your set-up pulls this version into the cache, you’ll be stuck until a fix is pushed, but if you used gating, it should never have hit you in the first place, and you should also have a history of old images in case you need to roll back.

So what’s the takeaway from all this? We need to be more careful and thoughtful with our software supply chains. I think this is going to be a big topic in the future, and we can already see hints of where things are going in the Notary and Grafeas projects.

Photo by Pau Casals on Unsplash


Docker Pull Rate Limit, solution

Mitigate impact of Docker Hub Pull Request Limits

Determine and Mitigate Impact of Docker Hub Pull Request Limits starting Nov 2nd

If you are using Docker Hub to distribute your containerized software project, you will by now have received at least two emails about the new image pull consumption tiers. While the initially planned image retention policies (stale images are deleted after 6 months) have been postponed to mid, pull-request limits are starting to be enforced effectively on November 2nd.

How your users are going to be impacted

What this means is that, if you are using the free tier of Docker Hub, all your images will be subject to a pull request limit of pulls per six hours enforced per client IP for anonymous clients. Anonymous clients are all those users, who do not have a Docker Hub account or do not log in via docker login before pulling an image. Anonymous pulls are also very often used in CI/CD systems that build software from popular, public base images.

Pulls from authenticated users on the free tier of Docker Hub are limited to per six hours.

What counts as a pull?

The new limits are enforced on a per-manifest basis. While in the early days of containers one image corresponded to one manifest, in today’s world of multi-arch images a container image is actually a list of manifests, with one manifest/image per supported system architecture (e.g. x86_64, aarch64, arm64v8, etc).

Starting November 2nd, a pull is counted against a single request of single manifest. In case of multi-arch images, most clients however will only download the one manifest that matches the system they are running on, so it would still count as a single pull.

It is important to note however, that a pull is also counted if the client system already has all the image layers present and nothing is actually downloaded. That means that image caching does not reduce the number of pulls counted against the limit.

How to determine if you reached the pull request limit

From a user perspective, since the pull limits are enforced on per client IP, it might be hard to predict if and when limits will be reached. You can however simulate what happens, when that is the case. There are two test repositories available that already have the limits enforced, one of which is permanently at the rate limit. Clients react differently to these.

$ docker pull response from daemon: toomanyrequests: Too Many Requests. Please see

This test repository has rate limiting enabled and always in effect. The pull request immediately aborts because the registry returned HTTP (toomanyrequests).

If you are a podman user, the behavior is different:

$ podman pull
Trying to pull…

This command will initially seem to hang but will return eventually after 15 minutes. With a more verbose log level we can actually see what is going on:

$ podman --log-level debug pull
INFO[] podman filtering at log level debug

[some lines omitted]

DEBU[] Detected 'Retry-After' header "60"
DEBU[] Too many requests to sleeping for seconds before next attempt

As you can see, the registry not only returns the “toomanyrequests” HTTP code but also specifies a desired retry interval of 60 seconds via a response header. podman will by default retry 5 times in case of HTTP while respecting the pause duration specified in the “Retry-after” header. After 5 retries it backs off and considers the attempt failed. Above that, podman by default retries failed pulls 3 times, hence the overall duration of 15 minutes.

It eventually fails like the docker client:

DEBU[] Error pulling image ref //ratelimitalways/test:latest: Error initializing source docker://ratelimitalways/test:latest: Error reading manifest latest in toomanyrequests: Too Many Requests. Please see

As of time of writing, there is also the ratelimitpreview/test available, which has request counting enabled and supposedly kicking in after the announced limits. However the author could not produce a rate limit being enforced as of yet.


Assessing the impact will be challenging. Anonymous pulls from Docker Hub are widely used in the FOSS community, especially in CI/CD systems. Almost everybody has image references to public images on Docker Hub in their container platforms and many software build pipelines create containerised software from base images in public repositories.

Container platforms like Kubernetes and OpenShift might run into these limits, when trying to scale or re-schedule a deployment from such an image, even when the nodes have the image cached. These events occur constantly in any container orchestration environment and are very likely to rapidly exhaust the quota of / pulls in 6 hours, which might cause a service outage. CI/CD pipelines might start to fail building and rolling out your software and those are usually the recovery tool of choice for such outages.

Mitigation strategies

For an enterprise DevOps practice relying on such a critical service via a free-tier offering is usually not acceptable. Especially for on-premise environments the on-going dependency on an online service is not considered a long term solution.

For these environments, enterprise users can leverage Red Hat Quay to provide a scalable and secure container registry platform on top of any supported on- and off-premise infrastructure. It provides massive performance in container image distribution, combined with the ability to scan container image contents for security vulnerabilities, while providing strict multi-tenancy.

Such a deployment is not limited to a single data center or cloud region but can be scaled across the globe using geo-replication. On top of that, content can be copied into a Red Hat Quay instance on a continuous basis from any other container registry via repository mirroring, so you can provide a fast, local cache of public image repositories. For the future we are also planning to have Red Hat Quay run as a transparent proxy cache.

Example of a repository mirroring configuration in Red Hat Quay

On the other end of the spectrum there are customers that do not need their own registry service. And then there are the thousands of volunteers maintaining open source projects and containerized software.

For these audiences there is the online version of Red Hat Quay available at This is a public container registry service that shares the same code base as Red Hat Quay and has a proven track record among the open source community for more than 6 years. In August this year this platform served over 6 billion container image pulls with % uptime. not only hosts your container images and serves them to any OCI compatible client (docker, podman, etc) but it can also build your software. It connects to a source code management system of your choice (e.g. GitHub or GitLab) and builds images from your Dockerfile on every commit. At the same time it provides image content scanning, so you can become aware when your published images contain any known security vulnerabilities. This scanning covers a variety of package managers (apt, apk, yum, dnf) and language package managers (python pip) used inside container images.

Overview of the security vulnerabilities found in the official PostgreSQL container images by Red Hat Quay

Another alternative for CI/CD systems is to use a different base image from a different registry, like the Universal Base Image which contains a basic Red Hat Enterprise Linux environment, free to use.

Migrating images with skopeo

In case you want to migrate your existing images to another registry like you can leverage skopeo. Like podman and buildah it is part of a toolchain that enables working with containers and images without the need for a docker daemon to be running and without requiring elevated privileges or root access on your OS.

skopeo can be used to easily copy your container images from one registry to another, like so:

$ skopeo login
Username: dmesser
Login Succeeded!

$ skopeo login
Username: dmesser
Login Succeeded!

$ skopeo sync --src docker --dest docker
INFO[] Tag presence check                   tagged=false
INFO[] Getting tags                        
INFO[] Copying image tag 1/1                         from="docker://dmesser/nginx:latest" to="docker://"
Getting image source signatures
Copying blob bc51dd8edc1b done
Copying blob 66baf57 done
Copying blob bfaa10aa5 done
Copying config e0bcb6 done
Writing manifest to image destination
Storing signatures
INFO[] Synced 1 images from 1 sources

This is all it takes to sync an entire repository called nginx, including all tags, from Docker Hub to

$ podman pull
Trying to pull
Getting image source signatures
Copying blob bfaa10aa5 done
Copying blob 66baf57 done
Copying blob bc51dd8edc1b done
Copying config e0bcb6 done
Writing manifest to image destination
Storing signatures

For mass migration of entire repositories skopeo has great facilitates for automation, check out the skopeo-sync documentation. This is suitable for one-off migration as well as regular synchronization of incremental changes as part of a simple cron job.

Notice that by default, repositories are private after creation.. You can make them public in the settings menu of the repository. This is a default setting we plan to make configurable in the future. comes with a free tier which does not incur any cost and allows unlimited public container images. Subscription models are available, ranging from developers who need private repositories all the way to offerings suitable for entire organizations or companies, check out the available plans.


Hub throttling docker

What you need to know about upcoming Docker Hub rate limiting

On August 24th, we announced the implementation of rate limiting for Docker container pulls for some users. Beginning November 2, Docker will begin phasing in limits of Docker container pull requests for anonymous and free authenticated users. The limits will be fully enforced Monday, November 2, from am PT, and then reduced to 5, pulls per 6 hours for anonymous and free users. This will briefly inform some users whether they are exceeding the limits, but allow service to resume within an hour. The limits will be gradually reduced over a number of weeks until the final levels (where anonymous users are limited to container pulls per six hours and free users limited to container pulls per six hours) are reached. All paid Docker accounts (Pro. Team or Legacy subscribers) have up to 50, pulls in a 24 hour period.

The rationale behind the phased implementation periods is to allow our anonymous and free tier users and integrators to see the places where anonymous CI/CD processes are pulling container images. This will allow Docker users to address the limitations in one of two ways:  upgrade to a Docker Pro or Docker Team subscription,  or adjust application pipelines to accommodate the container image request limits.  After a lot of thought and discussion, we&#;ve decided on this gradual, phased increase over the upcoming weeks instead of an abrupt implementation of the policy. An up-do-date status update on rate limitations is available at

Docker users can get an up-to-date view of their usage limits and updated status messages by querying for current pulls used as well as header messages returned from the Docker Hub API. This blog post walks developers through how they can access their current account usage as well as understanding the header messages. And finally, Docker user can upgrade their number of pulls by upgrading to a Pro or Team subscription: subscription details and upgrade information is available at And non-commercial open source projects can apply for a sponsored Open Source Docker account by filling out this application.  No pull rate restrictions will be applied to namespaces approved as non-commercial Open Source projects.

Docker Tutorial for Beginners 10 - How to Use DockerHub

Learn More

On November 20, , rate limits anonymous and free authenticated use of Docker Hub went into effect. Anonymous and Free Docker Hub users are limited to and container image pull requests per six hours. You can read here for more detailed information.

If you are affected by these changes you will receive this error message:


You must authenticate your pull requests.

To increase your pull rate limits you can upgrade your account to a Docker Pro or Team subscription.

The rate limits of container image requests per six hours for anonymous usage, and container image requests per six hours for free Docker accounts are now in effect. Image requests exceeding these limits will be denied until the six hour window elapses.

NOTE: Docker Pro and Docker Team accounts enable 5, pulls in a 24 hour period from Docker Hub.  

Here are the steps you can follow to understand and manage usage for anonymous and free usage of Docker Hub in your app development process:

  • Understand your Docker Hub usage. You can get a real time understanding of your current usage right from the Docker CLI. This blog post shows you how to get an updated usage number for your account and see if the rate limitation enforcement will impact your account.
  • Upgrade to Pro or Team if necessary. One of the key benefits is an increased number of pulls to 5, in a 24 hour period from Docker Hub. Plans start at $5 per month per developer, you can learn more and upgrade your subscription at the Docker Pricing page.
  • Monitor your usage and adjust accordingly. Docker Hub will return a header message indicating when a usage limit has been reached. When you exceed, you can adjust your process to reduce consumption, or upgrade to a Docker Pro or Docker Team subscription.

Now discussing:

Download rate limit

Estimated reading time: 5 minutes

What is the download rate limit on Docker Hub

Docker Hub limits the number of Docker image downloads (“pulls”) based on the account type of the user pulling the image. See the pricing page for current options.

Some images are unlimited through our Open Source and Publisher programs.

Unlimited pulls by IP is also available through our Large Organization plan.

Definition of limits

A user’s limit is equal to the highest entitlement of their personal account or any organization they belong to. To take advantage of this, you must log in to Docker Hub as an authenticated user. For more information, see How do I authenticate pull requests. Unauthenticated (anonymous) users will have the limits enforced via IP.

  • A pull request is defined as up to two requests on registry manifest URLs ().
  • A normal image pull makes a single manifest request.
  • A pull request for a multi-arch image makes two manifest requests.
  • requests are not counted.

How do I know my pull requests are being limited

When you issue a pull request and you are over the limit for your account type, Docker Hub will return a response code with the following body when the manifest is requested:

You will see this error message in the Docker CLI or in the Docker Engine logs.

How can I check my current rate

Valid manifest API requests to Hub will usually include the following rate limit headers in the response:

These headers will be returned on both GET and HEAD requests. Note that using GET emulates a real pull and will count towards the limit; using HEAD will not, so we will use it in this example. To check your limits, you will need , , and installed.

To get a token anonymously (if you are pulling anonymously):

To get a token with a user account (if you are authenticating your pulls) - don’t forget to insert your username and password in the following command:

Then to get the headers showing your limits, run the following:

Which should return headers including these:

This means my limit is per seconds (6 hours), and I have 76 pulls remaining.

Remember that these headers are best-effort and there will be small variations.

If you do not see these headers, that means pulling that image would not count towards pull limits. This could be because you are authenticated with a user associated with a Pro/Team Docker Hub account, or because the image or your IP is unlimited in partnership with a publisher, provider, or an open-source organization.

I’m being limited even though I have a paid Docker subscription

To take advantage of the higher limits included in a paid Docker subscription, you must authenticate pulls with your user account.

A Pro, Team, or a Business tier does not increase limits on your images for other users. See our Open Source, Publisher, or Large Organization offerings.

How do I authenticate pull requests

The following section contains information on how to log into on Docker Hub to authenticate pull requests.

Docker Desktop

If you are using Docker Desktop, you can log into Docker Hub from the Docker Desktop menu.

Click Sign in / Create Docker ID from the Docker Desktop menu and follow the on-screen instructions to complete the sign-in process.

Docker Engine

If you are using a standalone version of Docker Engine, run the command from a terminal to authenticate with Docker Hub. For information on how to use the command, see docker login.

Docker Swarm

If you are running Docker Swarm, you must use the flag to authenticate with Docker Hub. For more information, see docker service create. If you are using a Docker Compose file to deploy an application stack, see docker stack deploy.

GitHub Actions

If you are using GitHub Actions to build and push Docker images to Docker Hub, see login action. If you are using another Action, you must add your username and access token in a similar way for authentication.


If you are running Kubernetes, follow the instructions in Pull an Image from a Private Registry for information on authentication.

Third-party platforms

If you are using any third-party platforms, follow your provider’s instructions on using registry authentication.

Other limits

Docker Hub also has an overall rate limit to protect the application and infrastructure. This limit applies to all requests to Hub properties including web pages, APIs, image pulls, etc. The limit is applied per-IP, and while the limit changes over time depending on load and other factors, it is in the order of thousands of requests per minute. The overall rate limit applies to all users equally regardless of account level.

You can differentiate between these limits by looking at the error code. The “overall limit” will return a simple response. The pull limit returns a longer error message that includes a link to this page.

Docker, pull requests, download, limit

190 191 192 193 194