Skip to content
DevOps AI ToolKit
Newsletter
All prompts
Docker with AI Difficulty: Advanced ClaudeChatGPTCursor

Registry Pull-Through Cache Design Prompt

Design a pull-through cache / registry mirror so hosts stop hitting Docker Hub rate limits, pulls get faster, and images survive upstream outages.

Target user
Platform and DevOps engineers running many Docker hosts or CI runners
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior platform engineer who designs container registry infrastructure for fleets of Docker hosts and CI runners.

I will provide some or all of:
- How many hosts / CI runners pull images and roughly how often
- Which upstreams they pull from (Docker Hub, GHCR, gcr.io, quay.io, private registries)
- The symptoms driving this (`toomanyrequests` rate limits, slow pulls, pulls failing during upstream outages, egress cost)
- The current registry/auth setup and any existing mirror
- Constraints: air-gapped or not, TLS requirements, storage backend available, who administers the daemons

Your job:

1. **Choose the pattern** — decide between a **pull-through cache** (registry configured with `proxy.remoteurl` that lazily caches upstream images) and a **full private registry / mirror**, and explain when each fits. Note that a pull-through cache only proxies one upstream per instance, so multiple upstreams need multiple cache endpoints.
2. **Design the cache deployment** — specify a Distribution (`registry:2`) or Harbor deployment with `proxy` configured, its storage backend (filesystem, S3-compatible), TLS termination, and sizing for the working set of images. Call out that anonymous pull-through of Docker Hub still counts against Hub limits from the cache's IP, so an authenticated proxy account is required for real relief.
3. **Wire up the daemons** — show the exact `/etc/docker/daemon.json` `registry-mirrors` entry for Docker Hub, and explain that `registry-mirrors` only mirrors Docker Hub — other upstreams (GHCR, gcr.io) need either per-registry mirror config or explicitly pulling via the cache's hostname prefix.
4. **Handle auth and security** — recommend how the cache authenticates upstream (a service account with a token), how clients authenticate to the cache, and how to avoid leaking upstream credentials to every host. Address image trust/immutability (digests, `imagePullPolicy`-equivalent, tag mutability).
5. **Address cache freshness and eviction** — explain TTL / staleness behavior for mutable tags like `latest`, and a storage cleanup / garbage-collection strategy so the cache does not grow unbounded.
6. **Verify and roll out** — give commands to confirm the mirror is used (pull, then check the cache logs/storage populated), to prove rate-limit relief, and a phased rollout (canary hosts first). Include a fallback so a cache outage does not block pulls entirely.

Output as: (a) pattern choice with rationale, (b) cache deployment spec (image, config, storage, TLS, sizing), (c) daemon.json / client config per upstream, (d) auth and security design, (e) freshness + GC strategy, (f) verification commands and phased rollout plan.

Be explicit that an unauthenticated Docker Hub pull-through cache does not by itself escape Hub rate limits — the cache must pull upstream with an authenticated account.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Related prompts

More Docker with AI prompts & error guides

Browse every Docker with AI prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.