While testing the multi-runner setup I discovered containers started by the runner user could not invoke Docker. The base image lacked the docker.io package and the user was missing membership of the docker group.

The Dockerfile.ubuntu-runner now installs Docker and ensures the runner user belongs to the docker group so each containerised runner can start sibling containers without needing root:

 1@@
 2-RUN apt-get update && apt-get install -y \
 3-      curl git jq sudo nodejs npm \
 4-      libicu70 libssl-dev libcurl4-openssl-dev \
 5+RUN apt-get update && apt-get install -y \
 6+      curl git jq sudo nodejs npm \
 7+      libicu70 libssl-dev libcurl4-openssl-dev \
 8+      docker.io \
 9     && rm -rf /var/lib/apt/lists/*
10@@
11-RUN useradd -m -s /bin/bash runner
12+RUN useradd -m -s /bin/bash runner && usermod -a -G docker runner

With these tweaks the runner containers can spin up jobs that use Docker without permission errors.