Gitlab-runner shell-executor environment issues / podman issues

I’m successfully running multiple gitlab-runners setup on different nixos hosts pretty much according to the NixOS Wiki. The ones working are all docker-executors and a trivial CI also appears to work on the one with the shell-executor.

However: the need has arisen to execute more involved tasks like podman run from a Makefile running in a CI in the shell-executor. This fails invariably with either:

XDG_RUNTIME_DIR not set

errors from podman,
or, if I manually set XDG_RUNTIME_DIR in the runner config with something like

let 
    pydeps = pkgs.python39Packages.makePythonPath [ "pexpect" ];
    userrundir = "${config.users.users.gitlab-runner.home}/.run";
in
{
       ...
        preBuildScript = pkgs.writeScript "setup-shell-env" ''
          [[ -d "${userrundir}" ]] || mkdir -p "${userrundir}"
        '';
        environmentVariables = {
          ENV = "/etc/profile";
          XDG_RUNTIME_DIR="${userrundir}"; # because without an interactive login session /run/user/107 is not mounted as tmpfs ?!
          PATH = "/nix/var/nix/profiles/default/bin:/nix/var/nix/profiles/default/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/run/current-system/sw/bin";
          ANSIBLE_EXECUTABLE="/run/current-system/sw/bin/sh";
          PYTHONPATH="${pydeps}";
        };

I still get an error, as if podman doesn’t really honor XDG_RUNTIME_DIR like it says it does?

time="2022-05-11T16:02:48+02:00" level=warning msg="XDG_RUNTIME_DIR is pointing to a path which is not writable. Most likely podman will fail.: read-only file system"
Error: error creating tmpdir: mkdir /run/user/107/libpod: read-only file system
make: *** [Makefile:175: satellite-admin-ui] Error 125

even though from the env in the same instance:

XDG_RUNTIME_DIR=/var/lib/gitlab-runner/.run

(I’m running unstable podman 4.0.3 BTW, since I saw a related issue mentioned somewhere…)

Anyone have an Idea?

And while we’re at it, the way the runner env is defined otherwise seems a bit off, wouldn’t it be more idiomatic to somehow define the shell env of the shell-executor with defined buildInputs instead of passing the system-wide path?

Also, I would have preferred for the gitlab-runner to be defined as a normal user, so I would be able to impersonate it on the host to debug pipelines in-situ. But I tried (a long time ago) and failed miserably (due to user-re-definition issues/clashes between user definition and the gitlab-runner module I suspect).

Hosted by Flying Circus.