Organisation pull attribution couples users / environments

[YuryHrytsuk]

Question

We have a [Dockerhub] Organisation where we store images for Master, Staging and Production deployments. According to Pull attribution doc, in some (actually many) cases Organisation's pull limits are used while pulling an image with an authenticated docker user (we have separate user for each environment).

How can I make sure, that pulling of image for master environment cannot affect production environment (for example by using up all available organisation pull limits)?

[sheltongraves]

Hey @YuryHrytsuk. If I'm understanding correctly you have images for master, staging and production under the same organization. Any pulls from users in that organization will count towards the pull limit. However, when you reach and exceed the pull limit, further pulls are not blocked so your production deployments would not be affected. You will just incur overage fees for the pulls over the limit.

[YuryHrytsuk]

Hey @YuryHrytsuk. If I'm understanding correctly you have images for master, staging and production under the same organization. Any pulls from users in that organization will count towards the pull limit. However, when you reach and exceed the pull limit, further pulls are not blocked so your production deployments would not be affected. You will just incur overage fees for the pulls over the limit.

Hi @sheltongraves,

Thank you for your answer. I was initially thinking, that I can avoid "coupling" pull limits by using separate users per environment within the same organisation which is apparently not the case.

I have 2 further questions:

• Is there a way to decouple pull limits between environments (master, stag, prod) with the same org?
• How much are the fees for users pulling above limit?

[sheltongraves]

The pull limits are per org subscription. You wouldn't be able to decouple pulls from the same org. You would able to decouple using multiple orgs.

You can find the pricing for pulls here: https://www.docker.com/pricing/

[YuryHrytsuk]

The pull limits are per org subscription. You wouldn't be able to decouple pulls from the same org. You would able to decouple using multiple orgs.

You can find the pricing for pulls here: https://www.docker.com/pricing/

That's my point.

It sounds reasonable [to me] to have one org and use images from the same org.

The problem is:

• with existing docker "approach" to attribute and limit pulls, having the same org means that master, stag and prod environments can affect each other since they all share the same pull limit.
• there is no way [apparently] to decouple this while using single org

[sheltongraves]

Can you elaborate more on how the pulls for different environment would be affected? The limit will NOT block pulls when they are reached.

[YuryHrytsuk]

Can you elaborate more on how the pulls for different environment would be affected? The limit will NOT block pulls when they are reached.

Ok. Since after reaching the limit, one does not get blocked (but get charged for extra pulls instead) makes the "affect" component less important.

As stated in the PR Title, organisation may couple users (when certain conditions of docker pull attribution met) since users share the same docker pull limit (i.e. pulling image on master environment will also reduce number of free / within-limit pulls from staging and production)

[YuryHrytsuk]

But I still wonder, if [in certain scenarios] making different users share the same organisation pull limit is a bad architectural pattern?

Ideally, I want to keep master, staging and production completely independent. It also sounds reasonable that these stages will use images from the same Dockerhub organisation. But if you do use the same Dockerhub organisation, you (in certain scenarios) automatically share the same docker pull limit.

Perhaps my docker resource (users, repositories and organisations) configuration is wrong. And there is a way to pull images from the same organisation without sharing the same docker pull limit 🤷