Docker Hub enforces limits on the number of image pull requests that an account may make within a certain period of time. Depending on its configuration, your Anchore deployment may exceed the allowable number of requests, resulting in the temporary inability to process images. This article provides guidance on how to keep Anchore's pull requests to Docker Hub within required limits.
Symptoms of Pull Request Limiting
In Anchore, you may discover that Docker Hub's rate limit has been exceeded when you are notified that analysis has failed for an image. The entry in Anchore's event log will indicate the reason for the failure.
You may also receive a message directly from Docker Hub informing you that your account has exceeded the allotted number of image pull requests.
Mitigating Pull Request Limiting
If you encounter rate limiting in your Anchore deployment, the first thing to check is whether any repositories are being watched. Disable the watch option for all repositories unless absolutely necessary. If you continue to have issues with rate limiting, disable the watch option for tags wherever possible.
You may wish to start with a clean slate by disabling the watch option for all repositories and tags. The Anchore support team has developed a script to do this for you automatically. For more information, refer to this article.
Suggestions for Minimizing Pull Requests in Anchore
Adding a repository
When instructed to scan a repository, Anchore will automatically pull images for all tags found in the repository. If the repository contains many tags, Anchore may make a large number of pull requests in a short period of time. Whenever feasible, consider adding individual tags for images of interest rather than all tags in the repository to reduce the number of pull requests
Watching a repository
Anchore provides the ability to watch a repository, meaning that Anchore will periodically check the repository for new tags or updates to existing tags and automatically download the corresponding images. For large or active repositories, this may result in a large number of pull requests. To avoid potential rate limiting, we recommend that you only watch specific tags of interest, and not repositories.
Watching a tag
Anchore provides the ability to watch specific tags and automatically download new images whenever the tags are updated. Watching many tags that are updated frequently may result in a large number of pull requests. Be judicious in the number of tags you are watching to ensure Anchore is not making unnecessary pull requests.