Docker Hub — alert when approaching pull rate limit
Anonymous image pulls hit Docker Hub limits (100/6h per IP) — CI starts failing with TooManyRequests. Usually visible only after you are already over.
Recipe
#!/usr/bin/env bash
# /etc/cron.d/dockerhub-quota
# */30 * * * * root /opt/dockerhub-quota.sh
# Get an anonymous token, then check pull headers
TOKEN=$(curl -fsS "https://auth.docker.io/token?service=registry.docker.io&scope=repository:ratelimitpreview/test:pull" | jq -r .token)
HEADERS=$(curl -fsS -I -H "Authorization: Bearer $TOKEN" \
"https://registry-1.docker.io/v2/ratelimitpreview/test/manifests/latest")
LIMIT=$(echo "$HEADERS" | awk -F'[:;]' '/ratelimit-limit/ {gsub(/ /,"",$2); print $2}')
REMAIN=$(echo "$HEADERS" | awk -F'[:;]' '/ratelimit-remaining/{gsub(/ /,"",$2); print $2}')
PCT=$((REMAIN * 100 / (LIMIT > 0 ? LIMIT : 1)))
if [ "$PCT" -lt 20 ]; then
curl -fsS "$HEARTBEAT_URL" --data "remaining=$REMAIN,limit=$LIMIT,pct=$PCT"
exit 2
fi
echo "OK ($REMAIN/$LIMIT pulls left)"Same thing in Enterno.io
Wrap in an Enterno heartbeat — learn about approaching the limit in advance, switch to authenticated pulls or a mirror before CI breaks.
Related recipes
A container OOM-kills, the restart policy revives it — no external signal until users complain.
docker info hangs >30 s — the daemon is in a split-brain state. Containers keep running (kernel holds the namespaces), but you cannot deploy a new release. systemctl status shows active.
ECR pulls start failing consistently (IRSA expired, network ACL, repo policy mismatch) — pods in k8s cannot start, ImagePullBackOff. But the kubelet event pages nobody.