Pulling private images (the bit people trip on)

Here's a subtle thing. Those custom job images live in the private registry, which requires authentication. So how does the runner pull them?

It doesn't do anything special — it asks the host's Docker engine to pull, and Docker uses the credentials in the runner user's ~/.docker/config.json. So the whole trick is: log the runner's user into the registry once, persistently.

# done once, on the runner host, as the service user:
docker login registry.example.com   ( user: <REDACTED> )

After that, every job-image pull just works, because the engine already has the credential. The same ~/.docker/config.json is what lets workflows push their freshly built images, too.

Lesson learned: "how does my CI pull a private base image?" almost always comes down to where the credential lives, not to some CI-specific setting. For a socket-mounted runner, it's the host user's Docker login. Get that one persistent login right and a whole class of "ImagePullBackOff / unauthorized" mysteries disappears.