It definitely seems like we should link to the images from here. I'm
less sure to what degree we should recommend them, but figured I'd take
a stab at it and let you correct me. e.g. I could imagine that if we're
not settled on the repository layout, or eventually want to migrate to
pointing the runners at a TPA-owned default image registry, then we
might not want to broadly recommend this yet.

service/ci.md

@@ -145,6 +145,24 @@ This work came out of [issue #90](https://gitlab.torproject.org/tpo/tpa/gitlab/-
 information or alternative implementations. In particular, it
 documents attempts at building containers with `buildah` and Docker.
 
+## TPA-maintained images
+
+Consider using the [TPA-maintained
+images](https://gitlab.torproject.org/tpo/tpa/base-images) for your CI jobs, in
+cases where there is one that suits your needs. e.g. consider setting `image`
+to something like
+`containers.torproject.org/tpo/tpa/base-images/debian:bookworm` instead of just
+`debian:bookworm`.
+
+In contrast, "bare" image names like `debian:bookworm` implicitly pull from the
+runner's default container registry, which is currently
+[dockerhub](https://hub.docker.com/).  This can be problematic due to dockerhub
+applying rate-limiting, causing some image-pull requests to fail. Using the
+TPA-maintained images instead both avoids image-pull failures for your own job,
+and reduces the CI runner's request-load on dockerhub, thus reducing the
+incidence of such failures for other jobs that do still pull from there (e.g.
+for images for which there aren't TPA-maintained alternatives).
+
 ## FAQ
 
  * do runners have **network access**? **yes**, but that might