What is 'gitlab/gitlab-runner-helper' docker image used for?

Question

My overall goal is to install a self-hosted gitlab-runner that is restricted to use prepared docker images from my own docker registry only.

For that I have a system.d configuration that looks like:

/etc/systemd/system/docker.service.d/allow-private-registry-only.conf

BLOCK_REGISTRY='--block-registry=all'
ADD_REGISTRY='--add-registry=my.private.registry:8080'

By this, docker pull is allowed to pull images from my.private.registry/ only.

After I had managed to get this working, I wanted to clean up my local registry and remove old docker images. It was during that process when I stumbled over a docker image named gitlab/gitlab-runner-helper which presumably is some component used by the gitlab-runner itself and presumably has been pulled from docker.io.

Now I'm wondering if it is even possible/advisable to block images from docker.io when using a gitlab-runner?

Any hints are appreciated!

Answer 1

I feel my sovereign duty to extend the accepted answer (it is great btw), because the word 'handle' basically tells us not so much, it is too abstract. Let me explain the whole flow in far more details:

1. When the build is about to begin, gitlab-runner creates a docker volume (you can observe it with docker volume ls if you want). This volume will serve as a storage for caches and artifacts that you are using during the build.

2. The second thing - You will have at least 2 containers involved in each stage: gitlab-runner-helper, container and the container created from the image you specified (in .gitlab-ci.yml or in config.toml). What gitlab-runner-helper container does, is essentially just cloning the remote git repository (that you are building) in the aforementioned docker volume along with caches and artifacts.

It can do it because within gitlab-runner-helper image itself are 2 important utilities: git (obviously - to clone the repo) and gitlab-runner-helper binary (this utility can pull and push artifacts, caches)

3. The gitlab-runner-helper container starts before each stage for a couple of seconds, to pull artifacts and caches, and then terminates. After that the container, created from image that you specified will be launched, ant it will also have this volume (from step 1) attached - this is how it receives artifacts btw.

The rest of the details about the registry from where gitlab-runner-helper get pulled are described by @Nicolas pretty well. I append this comment just for someone, who, perhaps, wants to know what exactly means this sneaky 'handle' word.

Hope it helps, have a nice day, my friend!