Kubernetes and drone, docker.io rate limits

#1

Failed to pull image "drone/placeholder:1": rpc error: code = Unknown desc = Error response from daemon: toomanyrequests: You have reached your pull rate limit. You may increase the limit by authenticating and upgrading: https://www.docker.com/increase-rate-limit

I have drone and drone-runner-kube installed on kubernetes via the official helm charts.

I need to apply a docker configuration (or secret?) somewhere to use the paid docker.io user I have to avoid rate limits and I cannot find a way to do that, I’ve read the FAQ.

Any hint? Thanks.

#2

Mount the docker config.json file into the runner container, and then tell the runner container the location at which it can load this file using the DRONE_DOCKER_CONFIG configuration parameter.

#3

solution:

apiVersion: helm.fluxcd.io/v1
kind: HelmRelease
metadata:
  name: drone-runner-kube
  namespace: drone
  annotations:
    fluxcd.io/ignore: "false"
spec:
  releaseName: drone-runner-kube
  chart:
    git: https://github.com/drone/charts.git
    ref: master
    path: charts/drone-runner-kube
  values:
    imagePullSecrets:
    - name: regcred
    replicaCount: 2
    env:
      DRONE_NAMESPACE_DEFAULT: drone
      DRONE_RPC_SECRET: drone-secret
      # DRONE_TRACE: true
      # DRONE_DEBUG: true
      DRONE_DOCKER_CONFIG: /root/.docker/config.json
    extraVolumeMounts:
      - name: auth
        mountPath: /root/.docker/
    extraVolumes:
      - name: auth
        persistentVolumeClaim:
          claimName: drone-runner-kube-auth
    rbac:
      buildNamespaces:
        - drone

kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: drone-runner-kube-auth
  namespace: drone
  labels:
    app.kubernetes.io/instance: drone-runner-kube-auth
    app.kubernetes.io/name: drone-runner-kube-auth
spec:
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: efs
#4

thanks for taking the time to share your solution :slight_smile: … out of curiosity, could you also mount from a secret?

    extraVolumes:
      - name: auth
        secret:
          secretName: my-registry-credentials-secret
#5

good idea, I’m going to try given I already have a secret, will report back – the problem is that I don’t have a clear indicator (beside failure) that credentials are in use and working (not rate limited at this time)

#6

seems fine, thanks for the hint :+1:

#7

Thanks a lot for this solution :star_struck:
I still have this message when the build step starts
Registry credentials or Docker config not provided. Guest mode enabled.
Is it normal ? How can I check that, while building a docker image with plugins/docker, the credentials are used to pull the base image ?
Thanks a lot for your help

#8

not sure about that but you might try adding

image_pull_secrets:
- mysecretname

in your .drone.yml

#9

I found all suggested options very unpractical. It should be in GUI like secrets, preferably as a global setting for all jobs.

I set global creds on the entire Kubernetes node (to avoid being banned on DockerHub, because someone didn’t set a drone.yml properly)

In /etc/crio/crio.conf

global_auth_file = "/etc/kubernetes/dockerauth.json"

podman login docker.io --authfile=/etc/kubernetes/dockerauth.json

#10

There are many options for providing credentials (not all are discussed in this thread). See How to prevent DockerHub pull rate limit errors

We try to avoid global configuration in the user interface; Drone has hundreds of configuration parameters and creating and maintaining a UI to manage all of them would require substantial effort with (in my opinion) limited overall benefit.

I think the best option is to provide the global credentials to the runner is to provide a json credentials file (as shown in the link I provided). This may not be as easy as managing the setting in the user interface, but it is also not that difficult.