Skip to main content

Overview

Blacksmith runs local Docker registry mirrors across our fleet. These work as pull-through caches for public images: the first pull for any image hits Docker Hub, and after that, all subsequent pulls (across organizations) are served from a node-local registry backed by our colocated cache store.
The pull-through mirror only caches public images. Private images are not cached.

Basics

Preventing rate limit errors

Since pulls are served from local mirrors, your CI jobs won’t hit Docker Hub’s rate limits nearly as often. Before the mirrors, customers would run into errors like: 
ERROR: toomanyrequests: Too Many Requests.

You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limits.
This got worse after Docker Hub’s new rate limits on April 1st, 2025. If you’re still hitting rate limits, reach out at [email protected]. As a workaround, authenticating with Docker Hub gives your workflows a higher rate limit.
Use the docker/login-action with your Docker Hub credentials:
    - name: Login to Docker Hub
      uses: docker/login-action@v2
      with:
        username: ${{ secrets.DOCKERHUB_USERNAME }}
        password: ${{ secrets.DOCKERHUB_PASSWORD }}

Authenticating service containers

If you use service containers, authenticate with the credentials option:
  jobs:
  build:
    services:
      redis:
        # Docker Hub image
        image: redis
        ports:
          - 6379:6379
        credentials:
          username: ${{ secrets.DOCKERHUB_USERNAME }}
          password: ${{ secrets.DOCKERHUB_PASSWORD }}