diff --git a/blueprints/docker-for-mac/docker-17.06-ce.yml b/blueprints/docker-for-mac/docker-17.06-ce.yml
index 3d64257b1..e56038da4 100644
--- a/blueprints/docker-for-mac/docker-17.06-ce.yml
+++ b/blueprints/docker-for-mac/docker-17.06-ce.yml
@@ -3,7 +3,7 @@ services:
   # Bind mounts /var/run to allow vsudd to connect to docker.sock, /var/vpnkit
   # for vpnkit coordination and /var/config/docker for the configuration file.
   - name: docker-dfm
-    image: linuxkit/docker-ce:9b937df179bdbebbc70243779978057df0b54190
+    image: docker:17.06.0-ce-dind
     capabilities:
      - all
     net: host
@@ -18,7 +18,7 @@ services:
      - /var/config/docker:/var/config/docker
      - /usr/bin/vpnkit-expose-port:/usr/bin/vpnkit-expose-port # userland proxy
      - /usr/bin/vpnkit-iptables-wrapper:/usr/bin/iptables # iptables wrapper 
-    command: [ "/usr/bin/docker-init", "/usr/bin/dockerd", "--",
+    command: [ "/usr/local/bin/docker-init", "/usr/local/bin/dockerd", "--",
             "--config-file", "/var/config/docker/daemon.json",
             "--swarm-default-advertise-addr=eth0",
             "--userland-proxy-path", "/usr/bin/vpnkit-expose-port",
@@ -27,3 +27,7 @@ services:
 files:
     - path: /var/config/docker/daemon.json
       contents: '{ "debug": true }'
+
+trust:
+    org:
+        - library
diff --git a/examples/docker.yml b/examples/docker.yml
index 912c0242d..405e0d515 100644
--- a/examples/docker.yml
+++ b/examples/docker.yml
@@ -30,7 +30,7 @@ services:
   - name: ntpd
     image: linuxkit/openntpd:19370f5d9bec84eb91073b7196b732f1301d9c90
   - name: docker
-    image: linuxkit/docker-ce:9b937df179bdbebbc70243779978057df0b54190
+    image: docker:17.06.0-ce-dind
     capabilities:
      - all
     net: host
@@ -41,6 +41,7 @@ services:
      - /var/lib/docker:/var/lib/docker
      - /lib/modules:/lib/modules
      - /etc/docker/daemon.json:/etc/docker/daemon.json
+    command: ["/usr/local/bin/docker-init", "/usr/local/bin/dockerd"]
 files:
   - path: var/lib/docker
     directory: true
@@ -49,3 +50,4 @@ files:
 trust:
   org:
     - linuxkit
+    - library
diff --git a/pkg/docker-ce/Dockerfile b/pkg/docker-ce/Dockerfile
deleted file mode 100644
index fd741e1de..000000000
--- a/pkg/docker-ce/Dockerfile
+++ /dev/null
@@ -1,48 +0,0 @@
-FROM linuxkit/alpine:9bcf61f605ef0ce36cc94d59b8eac307862de6e1 AS mirror
-
-# https://github.com/docker/docker/blob/master/project/PACKAGERS.md#runtime-dependencies
-# removed openssl as I do not think server needs it
-RUN mkdir -p /out/etc/apk && cp -r /etc/apk/* /out/etc/apk/
-RUN apk add --no-cache --initdb -p /out \
-	alpine-baselayout \
-	btrfs-progs \
-	busybox \
-	ca-certificates \
-	curl \
-	e2fsprogs \
-	e2fsprogs-extra \
-	iptables \
-	musl \
-	xfsprogs \
-	xz
-RUN rm -rf /out/etc/apk /out/lib/apk /out/var/cache
-
-FROM scratch
-COPY --from=mirror /out/ /
-
-# set up Docker group
-# set up subuid/subgid so that "--userns-remap=default" works out-of-the-box
-RUN set -x \
-	&& addgroup -S docker \
-	&& addgroup -S dockremap \
-	&& adduser -S -G dockremap dockremap \
-	&& echo 'dockremap:165536:65536' >> /etc/subuid \
-	&& echo 'dockremap:165536:65536' >> /etc/subgid
-
-# DOCKER_TYPE is stable, edge or test
-ENV DOCKER_TYPE stable
-ENV DOCKER_VERSION 17.06.0-ce
-ENV DOCKER_SHA256 e582486c9db0f4229deba9f8517145f8af6c5fae7a1243e6b07876bd3e706620
-
-# we could avoid installing client here I suppose
-RUN set -x \
-	&& curl -fSL "https://download.docker.com/linux/static/${DOCKER_TYPE}/$(uname -m)/docker-${DOCKER_VERSION}.tgz" -o docker.tgz \
-	&& echo "${DOCKER_SHA256} *docker.tgz" | sha256sum -c - \
-	&& tar -xzvf docker.tgz \
-	&& mv docker/* /usr/bin/ \
-	&& rmdir docker \
-	&& rm docker.tgz \
-	&& docker -v
-
-# use the Docker copy of tini as our init for zombie reaping
-ENTRYPOINT ["/usr/bin/docker-init", "/usr/bin/dockerd"]
diff --git a/pkg/docker-ce/Makefile b/pkg/docker-ce/Makefile
deleted file mode 100644
index efd826209..000000000
--- a/pkg/docker-ce/Makefile
+++ /dev/null
@@ -1,4 +0,0 @@
-IMAGE=docker-ce
-NETWORK=1
-
-include ../package.mk
diff --git a/projects/compose/compose-dynamic.yml b/projects/compose/compose-dynamic.yml
index bb94af755..c08451f23 100644
--- a/projects/compose/compose-dynamic.yml
+++ b/projects/compose/compose-dynamic.yml
@@ -27,10 +27,9 @@ services:
   - name: ntpd
     image: linuxkit/openntpd:19370f5d9bec84eb91073b7196b732f1301d9c90
   - name: docker
-    image: linuxkit/docker-ce:9b937df179bdbebbc70243779978057df0b54190
+    image: docker:17.06.0-ce-dind
     capabilities:
      - all
-    net: host
     mounts:
      - type: cgroup
        options: ["rw","nosuid","noexec","nodev","relatime"]
@@ -39,6 +38,7 @@ services:
      - /lib/modules:/lib/modules
      - /var/run:/var/run
      - /var/html:/var/html
+    command: ["/usr/bin/docker-init", "/usr/bin/dockerd"]
   - name: compose
     image: linuxkitprojects/compose:0535e78608f57702745dfd56fbe78d28d237e469
     binds:
diff --git a/projects/compose/compose-static.yml b/projects/compose/compose-static.yml
index 8f51aa4e0..80c4ee49a 100644
--- a/projects/compose/compose-static.yml
+++ b/projects/compose/compose-static.yml
@@ -27,10 +27,9 @@ services:
   - name: ntpd
     image: linuxkit/openntpd:19370f5d9bec84eb91073b7196b732f1301d9c90
   - name: docker
-    image: linuxkit/docker-ce:9b937df179bdbebbc70243779978057df0b54190
+    image: docker:17.06.0-ce-dind
     capabilities:
      - all
-    net: host
     mounts:
      - type: cgroup
        options: ["rw","nosuid","noexec","nodev","relatime"]
@@ -39,6 +38,7 @@ services:
      - /lib/modules:/lib/modules
      - /var/run:/var/run
      - /var/html:/var/html
+    command: ["/usr/bin/docker-init", "/usr/bin/dockerd"]
   - name: compose
     image: linuxkitprojects/compose:0535e78608f57702745dfd56fbe78d28d237e469
     binds:
diff --git a/projects/kubernetes/image-cache/Dockerfile b/projects/kubernetes/image-cache/Dockerfile
index c3197868c..b94c8710d 100644
--- a/projects/kubernetes/image-cache/Dockerfile
+++ b/projects/kubernetes/image-cache/Dockerfile
@@ -1,4 +1,4 @@
-FROM linuxkit/docker-ce:9b937df179bdbebbc70243779978057df0b54190
+FROM docker:17.06.0-ce-dind
 ADD . /images
 ENTRYPOINT [ "/bin/sh", "-c" ]
 CMD [ "for image in /images/*.tar ; do docker image load -i $image && rm -f $image ; done" ]
diff --git a/projects/kubernetes/kube-master.yml b/projects/kubernetes/kube-master.yml
index 8aa5743c9..6e7ab0dec 100644
--- a/projects/kubernetes/kube-master.yml
+++ b/projects/kubernetes/kube-master.yml
@@ -39,10 +39,9 @@ services:
   - name: sshd
     image: linuxkit/sshd:89b2e91d7d1bf2f40220be0e3ed586e74746cceb
   - name: docker
-    image: linuxkit/docker-ce:9b937df179bdbebbc70243779978057df0b54190
+    image: docker:17.06.0-ce-dind
     capabilities:
      - all
-    net: host
     pid: host
     mounts:
      - type: cgroup
@@ -55,6 +54,7 @@ services:
      - /etc/cni:/etc/cni:rshared,rbind
      - /opt/cni:/opt/cni:rshared,rbind
     rootfsPropagation: shared
+    command: ["/usr/local/bin/docker-init", "/usr/local/bin/dockerd"]
   - name: kubernetes-image-cache-common
     image: linuxkit/kubernetes:latest-image-cache-common
   - name: kubernetes-image-cache-control-plane
diff --git a/projects/kubernetes/kube-node.yml b/projects/kubernetes/kube-node.yml
index 2ecd06cf9..0aea62330 100644
--- a/projects/kubernetes/kube-node.yml
+++ b/projects/kubernetes/kube-node.yml
@@ -39,10 +39,9 @@ services:
   - name: sshd
     image: linuxkit/sshd:89b2e91d7d1bf2f40220be0e3ed586e74746cceb
   - name: docker
-    image: linuxkit/docker-ce:9b937df179bdbebbc70243779978057df0b54190
+    image: docker:17.06.0-ce-dind
     capabilities:
      - all
-    net: host
     pid: host
     mounts:
      - type: cgroup
@@ -55,6 +54,7 @@ services:
      - /etc/cni:/etc/cni:rshared,rbind
      - /opt/cni:/opt/cni:rshared,rbind
     rootfsPropagation: shared
+    command: ["/usr/local/bin/docker-init", "/usr/local/bin/dockerd"]
   - name: kubernetes-image-cache-common
     image: linuxkit/kubernetes:latest-image-cache-common
   - name: kubelet
diff --git a/test/cases/030_security/000_docker-bench/test-docker-bench.yml b/test/cases/030_security/000_docker-bench/test-docker-bench.yml
index 106f29fc0..877f0de26 100644
--- a/test/cases/030_security/000_docker-bench/test-docker-bench.yml
+++ b/test/cases/030_security/000_docker-bench/test-docker-bench.yml
@@ -24,10 +24,9 @@ services:
   - name: dhcpcd
     image: linuxkit/dhcpcd:4b7b8bb024cebb1bbb9c8026d44d7cbc8e202c41
   - name: docker
-    image: linuxkit/docker-ce:9b937df179bdbebbc70243779978057df0b54190
+    image: docker:17.06.0-ce-dind
     capabilities:
      - all
-    net: host
     mounts:
      - type: cgroup
        options: ["rw","nosuid","noexec","nodev","relatime"]
@@ -35,6 +34,7 @@ services:
      - /var/lib/docker:/var/lib/docker
      - /lib/modules:/lib/modules
      - /run:/var/run
+    command: ["/usr/local/bin/docker-init", "/usr/local/bin/dockerd"]
   - name: test-docker-bench
     image: linuxkit/test-docker-bench:4999d3484771e8466580c0dc2e479595e49faa85
     ipc: host