The current (singular) Instance Runner cannot be used for building docker images due to security concern with other runtimes, as the host is not ephemeral and does not support (nested) virtualization. Due to recent changes in my homelab architecture, I can now set up one or two VM for shared runners. When using Kata Containers + Firecracker MicroVMs, a small and fast VM can be spun up inside the host VM for each pipeline. A pipeline job can therefore run with full root privileges inside this nested VM, benefitting from an unconfined and safe, single-use environment, while the host VM is fully protected from the untrusted workload due to virtualization. This set-up is also based on well-maintained and esthablished technologies and integrates very well with the Gitlab Runner daemon.