Docker+machine runner image update

I’ve got a GitLab Runner manager instance that spawns “worker” GitLab Runners (using the docker+machine executor for both the manager and worker instances) as EC2 instances in AWS as described in the GitLab docs. These Runner instances pick jobs from my self-hosted Omnibus GitLab instance and run them successfully.

I went to add DAST to a pipeline and when attempting to verify a new site profile, it was failing quietly. I eventually shelled into one of my worker runners to try and see what was going on. From there, I can’t curl the site defined in my profile—openssl and curl both report a cert as expired.

This cert isn’t actually expired—updating the system fixes the issue (just a simple apt-get update ; apt-get upgrade -y). I’m wondering if there is some way in my config.toml on the manager Runner to specify that some commands should be issued when worker runner instances are spawned, or if I have to go and build my own custom Docker image for this?