Skip to content

Is "pull policy of [always] for container" optimal?

I noticed that we now how new gitlab-runner version 18.0.5 in use. Unlike the old 17.x version, this is now emitting "pull policy of [always] for container" when downloading images, e.g.:

Running with gitlab-runner 18.0.5 (3f9b137e)
  on salsa-runner.debian.net f0fdd533, system ID: s_5385d57c9472
  feature flags: FF_USE_FASTZIP:true, FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR:true, FF_SCRIPT_SECTIONS:true
section_start:1757777722:prepare_executor
Preparing the "docker+machine" executor
Using Docker executor with image registry.salsa.debian.org/salsa-ci-team/pipeline/build:latest ...
Using helper image:  registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper:x86_64-v18.0.5
Using effective pull policy of [always] for container registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper:x86_64-v18.0.5
Pulling docker image registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper:x86_64-v18.0.5 ...
Using docker image sha256:b718f4c4f7fc9ae48935afe10c404a666dc432d428b95d58c25d3e7a74bfd3b8 for registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper:x86_64-v18.0.5 with digest registry.gitlab.com/gitlab-org/gitlab-runner/gitlab-runner-helper@sha256:4d2568c3877616724a495dc3d9be115470d767632898dee3bd0ea1fcfe1325f7 ...
Using effective pull policy of [always] for container registry.salsa.debian.org/salsa-ci-team/pipeline/build:latest
Authenticating with credentials from job payload (GitLab Registry)
Pulling docker image registry.salsa.debian.org/salsa-ci-team/pipeline/build:latest ...
Using docker image sha256:a853250ab6f98384afa0641a25c5f3d95762f109156732f41337110c5c274f17 for registry.salsa.debian.org/salsa-ci-team/pipeline/build:latest with digest registry.salsa.debian.org/salsa-ci-team/pipeline/build@sha256:685844982cbb160bc784cb893eb1588e6420418947ad35de59166354d82f495d ...

According to https://docs.gitlab.com/runner/executors/docker/#configure-how-runners-pull-images the options could be "always", "never" or "if-not-present". Unfortunately there isn't any smart options that would conditionally download the images. I wonder if there was a potential resource savings to be made if we used policy "if-not-present" and then had on the runners a separate cron/systemd.timer that flushed the image cache every 3h or so?

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information