Docker Runner

container-registry

A container registry is a storage to hold docker images which can be used in the private and public docker runners. See GitLab Container Registry for details.

Private images should no use the public runner for security reasons.

public-docker (not suitable for secret docker images)

The public docker runner pulls images only if they don’t already exist. So the job starts faster, if the image has been stored.

example1: use own image from container registry at jsc gitlab

This example uses an image with an OpenSUSE linux. It is created here: https://gitlab.version.fz-juelich.de/sharedrunner/opensuse

test:
  image: gitlab.version.fz-juelich.de:5555/sharedrunner/opensuse
  tags:
  - public-docker
  script:
  - uname -a

You may create your own docker image by creating a project https://gitlab.version.fz-juelich.de/username/projectname with enabled GitLab Container Registry. The image will be available here: gitlab.version.fz-juelich.de:5555/username/projectname.

example2: use image from DuckerHub jojomi/hugo

The Hugo image is used to create this documentation. See Hugo example for more detailed imformation.

pages:
  image: jojomi/hugo
  tags:
  - public-docker
  script:
  - hugo version
  - hugo
   artifacts:
     paths:
     - public

security

The public docker runner pulls images only if they don’t already exist (if-not-present pull policy). If the runner finds a local version of the image, it uses it even if the image could not be pulled because of missing credentials.

On public-docker, the following sequence would be possible:

  1. User A has a private image at registry.example.com/image/name.
  2. User A starts a build on a shared runner: The build receives the registry credentials and pulls the image after authorization in registry.
  3. The image is stored on public-docker.
  4. User B doesn’t have access to the private image at registry.example.com/image/name.
  5. User B starts a build that is using this image on the same shared runner as User A: Runner finds a local version of the image and uses it even if the image could not be pulled because of missing credentials.