How does the gitlab service container work?

Am struggling to understand how services work. Consider the following:

build:
stage: build
image: docker:stable
services:
- docker:dind
script:
- docker image build -t $CONTAINER_IMAGE:$CI_BUILD_REF -t $CONTAINER_IMAGE:latest .
- docker login -u gitlab-ci-token -p $CI_JOB_TOKEN registry.gitlab.com
- docker image push $CONTAINER_IMAGE:latest
- docker image push $CONTAINER_IMAGE:$CI_BUILD_REF
only:

  • master

From the above, we will effectively have two containers - the build container created from docker:stable and the service container created from docker:dind linked to the first build container. I have the following question:

  1. The docker commands in the script section - in which of the two containers (docker:stable or docker:dind) are those commands run?