Opened at 2021-08-10T18:20:56Z
Closed at 2021-08-11T14:23:48Z
#3759 closed defect (fixed)
The CircleCI Dockerhub authorization context prevents contributions from GitHub.com forked repositories from running
| Reported by: | exarkun | Owned by: | GitHub <noreply@…> |
|---|---|---|---|
| Priority: | normal | Milestone: | undecided |
| Component: | unknown | Version: | n/a |
| Keywords: | Cc: | ||
| Launchpad Bug: |
Description
Our CircleCI jobs use custom Docker images with our dependencies pre-installed in order to speed up the jobs.
Pulling these Docker images from Dockerhub is subject to rate limiting unless supplying credentials to CircleCI so it can authenticate to Dockerhub.
These credentials are stored in a CircleCI project "context" which is only available to "Tahoe committers". Anyone who can read these credentials can push images to our Dockerhub repository.
Because of this "context" PRs from outsider contributors don't have any CircleCI jobs run.
Except maybe we don't actually need to do this authentication anymore. Quoting https://support.circleci.com/hc/en-us/articles/360050623311-Docker-Hub-rate-limiting-FAQ:
Beginning November 1, 2020, Docker Hub will enable rate limits based on the originating IP address. However, CircleCI has partnered with Docker to ensure that our users can continue to access Docker Hub without rate limits. On November 1st, with few exceptions* (listed below), you should not be impacted by any rate limits when pulling images from Docker Hub through CircleCI. *Exceptions: Remote Docker and Machine Executors will be impacted by the rate limiting unless pulling CircleCI-published images.
Our CircleCI configuration uses the "Docker" executor but not the "Remote Docker" executor. This seems to suggest we should not be subject to the rate limits even if we do not supply Dockerhub credentials.
If this is the case, we can remove our Dockerhub credentials "context" and remove this barrier for external contributors.
Change History (5)
comment:1 Changed at 2021-08-10T19:18:17Z by sajith
comment:2 Changed at 2021-08-10T19:55:15Z by sajith
On CircleCI side, I am confused by the one success case on PR 1100 branch:
How did that work, and why was that build not unauthorized?
comment:3 Changed at 2021-08-10T20:03:36Z by exarkun
I clicked "retry from start" one time.
comment:4 Changed at 2021-08-10T23:10:49Z by sajith
It is finally dawning upon me that CircleCI's mysterious "unauthorized" message must mean that "this CI run is unauthorized to access some context thing". Oh okay.
comment:5 Changed at 2021-08-11T14:23:48Z by GitHub <noreply@…>
- Owner set to GitHub <noreply@…>
- Resolution set to fixed
- Status changed from new to closed
In 22622b5/trunk:
CircleCI's UI is something of a mystery here. It simply says that PR 1100 is "unauthorized", but not exactly what is unauthorized, why, and how we can solve the problem.
This is a problematic CI run. For a "normal" run, the first thing to run on CircleCI is the "spin up the environment" step, where a Docker image is pulled, as in this example. But in the case of PR 1100, it doesn't seem that any attempt has been made to pull an image from Docker Hub.
This CircleCI forum post looks relevant: How do I know _why_ a build is unauthorized?.
So does this article: Builds "Unauthorized" due to contexts.