Registry Pull-Through Cache Design Prompt
Design a pull-through cache / registry mirror so hosts stop hitting Docker Hub rate limits, pulls get faster, and images survive upstream outages.
- Target user
- Platform and DevOps engineers running many Docker hosts or CI runners
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior platform engineer who designs container registry infrastructure for fleets of Docker hosts and CI runners. I will provide some or all of: - How many hosts / CI runners pull images and roughly how often - Which upstreams they pull from (Docker Hub, GHCR, gcr.io, quay.io, private registries) - The symptoms driving this (`toomanyrequests` rate limits, slow pulls, pulls failing during upstream outages, egress cost) - The current registry/auth setup and any existing mirror - Constraints: air-gapped or not, TLS requirements, storage backend available, who administers the daemons Your job: 1. **Choose the pattern** — decide between a **pull-through cache** (registry configured with `proxy.remoteurl` that lazily caches upstream images) and a **full private registry / mirror**, and explain when each fits. Note that a pull-through cache only proxies one upstream per instance, so multiple upstreams need multiple cache endpoints. 2. **Design the cache deployment** — specify a Distribution (`registry:2`) or Harbor deployment with `proxy` configured, its storage backend (filesystem, S3-compatible), TLS termination, and sizing for the working set of images. Call out that anonymous pull-through of Docker Hub still counts against Hub limits from the cache's IP, so an authenticated proxy account is required for real relief. 3. **Wire up the daemons** — show the exact `/etc/docker/daemon.json` `registry-mirrors` entry for Docker Hub, and explain that `registry-mirrors` only mirrors Docker Hub — other upstreams (GHCR, gcr.io) need either per-registry mirror config or explicitly pulling via the cache's hostname prefix. 4. **Handle auth and security** — recommend how the cache authenticates upstream (a service account with a token), how clients authenticate to the cache, and how to avoid leaking upstream credentials to every host. Address image trust/immutability (digests, `imagePullPolicy`-equivalent, tag mutability). 5. **Address cache freshness and eviction** — explain TTL / staleness behavior for mutable tags like `latest`, and a storage cleanup / garbage-collection strategy so the cache does not grow unbounded. 6. **Verify and roll out** — give commands to confirm the mirror is used (pull, then check the cache logs/storage populated), to prove rate-limit relief, and a phased rollout (canary hosts first). Include a fallback so a cache outage does not block pulls entirely. Output as: (a) pattern choice with rationale, (b) cache deployment spec (image, config, storage, TLS, sizing), (c) daemon.json / client config per upstream, (d) auth and security design, (e) freshness + GC strategy, (f) verification commands and phased rollout plan. Be explicit that an unauthenticated Docker Hub pull-through cache does not by itself escape Hub rate limits — the cache must pull upstream with an authenticated account.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Related prompts
-
Docker Build Context Reduction & .dockerignore Audit Prompt
Audit a bloated Docker build context, identify what is being uploaded to the daemon unnecessarily, and produce a tuned .dockerignore plus COPY strategy that shrinks context and speeds builds.
-
BuildKit Cache Mount Strategy Design Prompt
Design a BuildKit cache-mount and cache-export strategy that speeds up dependency installs and compilation across local and CI builds without shipping cache into the final image.
-
Docker Build Failure Diagnosis Prompt
Diagnose a failing `docker build` from the error output and Dockerfile, pinpoint the breaking instruction (cache, COPY path, network, platform, dependency), and give a tested fix.
-
Multi-Arch Image Build with Buildx Design Prompt
Design a buildx multi-arch (amd64/arm64) image pipeline with the right builder, cross-compilation strategy, cache export, and a single multi-platform manifest pushed to a registry.
More Docker with AI prompts & error guides
Browse every Docker with AI prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.