In order for jobs on this runner to be able to build docker images, the
build container needs access to docker.

One option is to use docker-in-docker, but this is not a recommended
option.

The other option is to mount the docker socket from the host to the
build containers. This is technically the best option, but it comes with
some issues:

* CI jobs get full access to docker, with all it's security implications
* Different jobs can create conflicting images / containers
* Jobs could create images which remain on the host, and could be
  accidentaly (or on purpose) be used by other jobs. This is limited by
  the setting to always fetch images from the registry.

This remains a trade-off between security and convenience, but it should
be used with care.