diff --git a/Containerfile b/Containerfile
index 9771f1c..693896b 100644
--- a/Containerfile
+++ b/Containerfile
@@ -102,9 +102,8 @@ RUN sed -i -r \
 
 # Runtime rootless-mode configuration
 USER podman
-VOLUME ["/home/podman/.local/share/containers/storage/",\
-        "/home/podman/.gitlab-runner/", \
-        "/cache"]
+# N/B: Volumes are cumulative with the base image
+VOLUME ["/home/podman/.gitlab-runner/", "/cache"]
 WORKDIR /home/podman
 ENTRYPOINT ["/usr/local/bin/gitlab-runner-wrapper"]
 
@@ -143,7 +142,7 @@ ENV CLEAN_INTERVAL="$CLEAN_INTERVAL" \
     DOCKER_PRIVILEGED="$PRIVILEGED_RUNNER"
 
 # Not a real build-arg.  Simply here to save lots of typing.
-ARG _pm="--systemd=true --device=/dev/fuse --security-opt label=disable --user podman --volume pipglr-podman-root:/home/podman/.local/share/containers/storage --volume pipglr-config:/home/podman/.gitlab-runner -v pipglr-podman-cache:/cache -e PODMAN_RUNNER_DEBUG -e LOG_LEVEL"
+ARG _pm="--systemd=true --device=/dev/fuse --security-opt label=disable --user podman --volume pipglr-podman-root:/home/podman/.local/share/containers --volume pipglr-config:/home/podman/.gitlab-runner -v pipglr-podman-cache:/cache --tmpfs /var/lib/containers,ro,size=1k -e PODMAN_RUNNER_DEBUG -e LOG_LEVEL"
 
 # These labels simply make it easier to register and execute the runner.
 # Define them last so they are absent should a image-build failure occur.