Docker Runner

container-registry

A container registry is a storage to hold docker images which can be used in the private and public docker runners. See GitLab Container Registry for details.

Private images should no use the public runner for security reasons.

public-docker (not suitable for private images)

The public docker runner pulls images only if they don’t already exist. So the job starts faster, if the image has been stored.

example: image jojomi/hugo

The Hugo image is used to create this documentation. See Hugo example for more detailed imformation.

pages:
  tags:
  - public-docker
  image: jojomi/hugo
  script:
  - hugo version
  - hugo
   artifacts:
     paths:
    - public
  only:
  - master

security

The public docker runner pulls images only if they don’t already exist (if-not-present pull policy). If the runner finds a local version of the image, it uses it even if the image could not be pulled because of missing credentials.

On public-docker, the following sequence would be possible:

  1. User A has a private image at registry.example.com/image/name.
  2. User A starts a build on a shared runner: The build receives the registry credentials and pulls the image after authorization in registry.
  3. The image is stored on public-docker.
  4. User B doesn’t have access to the private image at registry.example.com/image/name.
  5. User B starts a build that is using this image on the same shared runner as User A: Runner finds a local version of the image and uses it even if the image could not be pulled because of missing credentials.