-
Notifications
You must be signed in to change notification settings - Fork 16
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change golang base image to public ECR to avoid rate limit #70
base: main
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this! The change itself is probably safe to go in, but I would like to make sure we are fully clear on the implication of using "non-official Docker registry" -- although AWS copy may also be considered as an official repository, I myself am not familiar with it and would love to get some clarification on that! 🙏
A gentle bump on this one. Docker is really limiting public unauthenticated image pulls, especially on persistent self-hosted runners. I'm guessing they are using IP-based origin detection or something similar. Check out this AWS help article for more guidance: https://repost.aws/knowledge-center/ecs-pull-container-error-rate-limit
|
@lxe Thanks for the input here! It's certainly not our intention to get blocked by the rate limit, and the public gallery from AWS seems to be managed based on the docker's repo-info: https://github.com/docker-library/repo-info/tree/master/repos/golang Amazon ECR Rate LimitHowever, the Amazon ECR side also has some rate limit -- theirs is more to do with the bandwidth, 50GB per month (https://aws.amazon.com/about-aws/whats-new/2020/12/announcing-amazon-ecr-public-and-amazon-ecr-public-gallery/ -- it also mentions 500 GB, and I'm not sure which one's correct). Authenticated AWS account will get the limit bumped to 5 TB. Docker Hub Rate LimitSpeaking of authentication, with Docker Hub, you can also get some rate limit bump to 200 pulls per 6 hours, or 5,000 per day for a paid subscription. Authentication using
|
Hey guys thanks for your replies,
True ! I does exists too there even if the form is not the same
Thanks for your additional notes, and that's true by paying one can pull a lot more from the public docker repository
I didn't think about that and it's interesting, while I don't have an answer I agree with your idea to allow users to change the base image if they wish to. I'm not sure to understand the What do you think ? |
Precisely, what I suggested is not the best solution for sure due to its maintenance overhead. If there is a way to override, that would be ideal -- but I'm personally not sure how one could do that, especially when it's about updating Dockerfile before the step starts executing. I'm open to ideas, just don't have a better one myself... 🫠 |
Hmmm 🤔 . Does that mean we don't have the possibility to override the ARGS when building the image when defining merge-gatekeeper's actions ? merge-gatekeeper:
runs-on: ubuntu-latest
permissions:
checks: read
statuses: read
steps:
- name: Run Merge Gatekeeper
uses: upsidr/merge-gatekeeper@v1
with:
token: ${{ secrets.GITHUB_TOKEN }}
docker-arg-base-image: ? # ARG BASE_REPOSITORY=golang
ARG GO_VERSION=1.16.7
# Add version flavour
ARG GO_SPECIFIC_TAG=-alpine
FROM ${BASE_REPOSITORY}:${GO_VERSION}${GO_SPECIFIC_TAG} |
If anyone is interested, we kept encountering the Docker rate limit and decided to fork this action. We have updated it to be a native action by creating a wrapper that targets the appropriate binary depending on the runner architecture. To give it a go, please check it out here: https://github.com/surgeventures/merge-gatekeeper. |
For issue #69
I believe the best way to avoid that would be to have the action written in a natively supported github action language such as Javascript, but that would do the trick in the meantime 👍
What do you think ?