Add `if-newer` pull policy for Docker images
Right now, the pull policy for Docker images of a GitLab runner can be configured as
never means that the runner can only use Docker images manually pulled by the runner administrator, while the other two options allow for the dynamic downloading of Docker images from a specified source.
if-not-present causes the image only to be downloaded if not already present on the runner, but actually does not check if a newer image or updated layers exist. It has also security implications because users can potentially bypass the authentication of private Docker registries.
always option causes the image to be downloaded from the specified source each time a run is triggered. This option is the default configuration. However, this behavior can potentially cause high network traffic when used with bigger Docker images, which also slows down the process since downloading of the image occurs for every build.
I am missing an option which offers a functionality similar to
if-not-present, but which also checks for a newer image and updated layers. Such an option would allow for reducing network traffic and build time without the need for manually pulling updated images and layers on a particular runner. In principle, it has the same security implications as
if-not-present, but this might be acceptable in some use cases.
I propose adding a new option
if-newer as a choice for a pull policy, which implements the functionality described above.
The logic to check if an image is newer or not should be like the following:
- Check if the image is available locally
- Get SHA of the local image
- Get SHA of the image remotely if
- If the SHA from the local and remote image are different do a git pull
- If we fail to get the SHA from the remote image, use the local image instead.