Skip to content

Add `if-newer` pull policy for Docker images

Description

Right now, the pull policy for Docker images of a GitLab runner can be configured as never, if-not-present, or always (default). never means that the runner can only use Docker images manually pulled by the runner administrator, while the other two options allow for the dynamic downloading of Docker images from a specified source.

if-not-present causes the image only to be downloaded if not already present on the runner, but actually does not check if a newer image or updated layers exist. It has also security implications because users can potentially bypass the authentication of private Docker registries.

The always option causes the image to be downloaded from the specified source each time a run is triggered. This option is the default configuration. However, this behavior can potentially cause high network traffic when used with bigger Docker images, which also slows down the process since downloading of the image occurs for every build.

I am missing an option which offers a functionality similar to if-not-present, but which also checks for a newer image and updated layers. Such an option would allow for reducing network traffic and build time without the need for manually pulling updated images and layers on a particular runner. In principle, it has the same security implications as if-not-present, but this might be acceptable in some use cases.

UPDATE: This issue is closed because the always policy will already first check if the image is available locally, and only if not will it download it from the remote registry. The documentation will be updated to make this clear. Other requirements that were mentioned, such as the need for different pull policies per remote should be captured in separate issues.

Proposal

I propose adding a new option if-newer as a choice for a pull policy, which implements the functionality described above.

The logic to check if an image is newer or not should be like the following:

  • Check if the image is available locally
  • Get SHA of the local image
  • Get SHA of the image remotely if if-newer is set
  • If the SHA from the local and remote image are different do a git pull
  • If we fail to get the SHA from the remote image, use the local image instead.
Edited by Pedro Pombeiro