Fix volume mounts

* Add note about volume-mounts being cumulative with base-image
* Fix register & run labels to use (correct) base image's
  `/home/podman/.local/share/containers/` instead of defining
  a new (wrong/useless) `storage` volume.
* Fix register & run labels to mask over `/var/lib/containers`
  with a read-only tmpfs to block any nested rootful use of
  podman as a security precaution.

Signed-off-by: Chris Evich <chris_gitlab@icuc.me>

Containerfile

@@ -102,9 +102,8 @@ RUN sed -i -r \
 
 # Runtime rootless-mode configuration
 USER podman
-VOLUME ["/home/podman/.local/share/containers/storage/",\
+# N/B: Volumes are cumulative with the base image
-        "/home/podman/.gitlab-runner/", \
+VOLUME ["/home/podman/.gitlab-runner/", "/cache"]
-        "/cache"]
 WORKDIR /home/podman
 ENTRYPOINT ["/usr/local/bin/gitlab-runner-wrapper"]
 
@@ -143,7 +142,7 @@ ENV CLEAN_INTERVAL="$CLEAN_INTERVAL" \
     DOCKER_PRIVILEGED="$PRIVILEGED_RUNNER"
 
 # Not a real build-arg.  Simply here to save lots of typing.
-ARG _pm="--systemd=true --device=/dev/fuse --security-opt label=disable --user podman --volume pipglr-podman-root:/home/podman/.local/share/containers/storage --volume pipglr-config:/home/podman/.gitlab-runner -v pipglr-podman-cache:/cache -e PODMAN_RUNNER_DEBUG -e LOG_LEVEL"
+ARG _pm="--systemd=true --device=/dev/fuse --security-opt label=disable --user podman --volume pipglr-podman-root:/home/podman/.local/share/containers --volume pipglr-config:/home/podman/.gitlab-runner -v pipglr-podman-cache:/cache --tmpfs /var/lib/containers,ro,size=1k -e PODMAN_RUNNER_DEBUG -e LOG_LEVEL"
 
 # These labels simply make it easier to register and execute the runner.
 # Define them last so they are absent should a image-build failure occur.