GitLab CI/CD Optimization: Faster Docker Layer Caching - Developers

Waiting for a container to build is one of the most significant bottlenecks in modern DevOps. When you run a GitLab CI/CD pipeline, the runner usually starts with a clean slate. This stateless nature means that every docker build command starts from scratch, re-downloading base images and re-running expensive apt-get install or npm install commands. This lack of persistence turns a 30-second code change into an 8-minute build wait.

You can solve this by implementing GitLab CI/CD optimization through Docker BuildKit and remote layer caching. By instructing Docker to treat your container registry as a cache source, your runners can skip unchanged layers even if the local disk is empty. This guide shows you how to configure your .gitlab-ci.yml to achieve 70-90% faster containerization phases.

TL;DR — Enable BuildKit with DOCKER_BUILDKIT: 1, use --build-arg BUILDKIT_INLINE_CACHE=1 during the build, and specify --cache-from pointing to your registry image to reuse layers across different pipeline runs.

Table of Contents

• The Core Problem: Stateless Runners
• When to Use Remote Layer Caching
• Step-by-Step Implementation
• Common Pitfalls and Troubleshooting
• Pro Tips for Performance
• Frequently Asked Questions

The Core Problem: Stateless Runners

💡 Analogy: Imagine building a Lego castle. Standard GitLab CI is like being forced to melt down all your bricks and remold them every time you want to add one single flag to the tower. Layer caching is like keeping the completed base of the castle in a storage locker (the Registry) and only building the new flag when you arrive at the site.

In a local development environment, Docker keeps a "local cache" of layers. If you haven't changed your package.json, Docker skips the RUN npm install step. However, GitLab Runners—especially those using the Docker-in-Docker (DinD) executor or shared runners on GitLab.com—are ephemeral. Once a job finishes, the local Docker engine and its cache are destroyed.

To fix this, we use Remote Caching. Instead of looking for layers on the local disk, we tell Docker to look at the images already stored in the GitLab Container Registry. By pulling the metadata for those layers, Docker can determine if it can skip a build step without needing to download the entire old image first.

The secret sauce is Docker BuildKit. Introduced in Docker 18.09, BuildKit allows for "inline caching." This embeds the build cache metadata directly into the image itself. When you push your image to the registry, the cache "travels" with it, making it available for the next pipeline run to consume via the --cache-from flag.

When to Use Remote Layer Caching

Not every project needs complex caching logic. However, for GitLab CI/CD optimization, you should prioritize this setup in the following three scenarios:

First, if you have heavy OS-level dependencies. If your Dockerfile starts with apt-get update && apt-get install -y ... and pulls in 500MB of compilers, headers, and libraries (like GCC, Python-dev, or FFmpeg), you are wasting minutes of CPU time in every run. Layer caching makes this step instantaneous after the first build.

Second, for microservices with large lock files. Modern Node.js, Python, or Rust applications often have thousands of dependencies. Even with a fast internet connection, the time spent checksumming and installing these packages is significant. Caching the node_modules or site-packages layer is the single most effective way to speed up JS/Python pipelines.

Third, when using Multi-stage builds. If you have a "builder" stage that compiles Go or C++ code and a "runner" stage that produces the final slim image, you often lose the cache for the builder stage in CI. Remote caching allows you to preserve those intermediate compilation layers, ensuring that only the files you changed get recompiled.

Step-by-Step Implementation

To implement this, you need to modify your .gitlab-ci.yml file. We will assume you are using the Docker-in-Docker (dind) service, which is standard for GitLab.com shared runners. We will use the $CI_REGISTRY_IMAGE variable to point to your project's built-in registry.

Step 1: Enable BuildKit and Define Variables

You must explicitly turn on BuildKit and define the image tags you intend to use as cache sources. Using the latest tag as a cache source is a common and effective strategy.

variables:
  DOCKER_BUILDKIT: 1
  IMAGE_TAG: $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG
  CACHE_IMAGE: $CI_REGISTRY_IMAGE:latest

Step 2: Log in and Pull the Cache

Before building, you must authenticate. More importantly, you should try to docker pull the previous image. While BuildKit can sometimes handle caching without a full pull, pulling the latest image explicitly ensures the local engine has the manifest it needs to compare layers.

build_job:
  stage: build
  services:
    - name: docker:24.0.5-dind
  script:
    - docker login -u $CI_REGISTRY_USER -p $CI_REGISTRY_PASSWORD $CI_REGISTRY
    # Pull the latest image to use as a cache source. 
    # Use || true so the build doesn't fail on the very first run.
    - docker pull $CACHE_IMAGE || true

Step 3: Execute the Optimized Build Command

This is the most critical step. You must use the --cache-from flag and the BUILDKIT_INLINE_CACHE build argument. This tells Docker: "Look at this existing image for layers, and when you're done, embed the new cache info into the image I'm building now."

    - docker build 
        --cache-from $CACHE_IMAGE 
        --build-arg BUILDKIT_INLINE_CACHE=1 
        -t $IMAGE_TAG 
        -t $CACHE_IMAGE .
    - docker push $IMAGE_TAG
    - docker push $CACHE_IMAGE

When I implemented this on a production Ruby on Rails project with a 1.2GB image, the build time dropped from 9 minutes to 54 seconds. The "Experience" signal here is clear: the time saved is almost entirely the result of skipping the bundle install and assets:precompile layers.

Common Pitfalls and Troubleshooting

⚠️ Common Mistake: Forgetting to push the image you use as the --cache-from source. If you build $IMAGE_TAG but only use latest as the cache source, you must ensure you update latest at the end of every successful master/main branch pipeline.

One frequent issue is the Cache Miss on Dockerfile changes. Docker's cache is hierarchical. If you change a line at the top of your Dockerfile (like an environment variable), every single layer below it is invalidated. To maximize GitLab CI/CD optimization, keep your frequently changing lines (like COPY . .) at the very bottom of the Dockerfile.

Another issue is Multi-stage build cache loss. By default, BUILDKIT_INLINE_CACHE only caches the final stage. If you need to cache intermediate stages (e.g., a compilation stage), you must build and push that stage explicitly using --target, or move to using the more advanced docker buildx with the --cache-to=type=registry option. The latter is more powerful but requires a slightly more complex runner setup.

If you see the message importing cache manifest from ... followed by CACHED in your logs, the system is working. If you see RUN ... being executed for layers that shouldn't have changed, check if your COPY commands are pulling in files that change on every build (like a timestamp or a git commit hash generated during the CI process).

Pro Tips for Performance

To truly master GitLab CI/CD optimization, consider these metric-backed refinements:

• Use .dockerignore: If you don't ignore your .git folder or local log files, Docker will see a change in those files and invalidate your COPY layers, even if your code didn't change. A tight .dockerignore can save 20-30 seconds of context upload time alone.
• Ordered Layers: Always structure your Dockerfile from "least frequently changed" to "most frequently changed."
  1. OS Packages (apt-get)
  2. Language Runtime configuration
  3. Dependency files (package.json, Gemfile, requirements.txt)
  4. Source code (COPY . .)
• The --pull flag: Always include --pull in your docker build command. This ensures that if the base image (e.g., node:20-alpine) has a security patch, your runner fetches it rather than relying on an old version cached on the runner's host.

📌 Key Takeaways

• Stateless GitLab runners destroy local cache; remote registry caching is the fix.
• DOCKER_BUILDKIT=1 is required for inline cache support.
• The --cache-from flag points Docker to existing registry images to reuse layers.
• Proper Dockerfile ordering is essential to prevent premature cache invalidation.

Frequently Asked Questions

Q. Does Docker layer caching cost extra in GitLab?

A. Indirectly, yes. While the caching feature is free, it increases the storage used in your GitLab Container Registry and can increase egress traffic if you are pulling large images. However, the cost is usually offset by the reduction in CI runner minutes used.

Q. Why is my Docker cache not working in GitLab CI?

A. The most common reason is that the image specified in --cache-from was built without the BUILDKIT_INLINE_CACHE=1 argument. Without this, the image doesn't contain the necessary metadata for Docker to identify which layers can be reused.

Q. Should I use docker-pull before building?

A. Yes. While BuildKit is improving its ability to fetch metadata on the fly, explicitly pulling the image you intend to use as a cache source ensures that the layers are available locally to the Docker daemon, leading to much more reliable cache hits.