diff --git a/pkg/metadata/Dockerfile b/pkg/metadata/Dockerfile
index 6a82a8895..66ea12fa8 100644
--- a/pkg/metadata/Dockerfile
+++ b/pkg/metadata/Dockerfile
@@ -6,7 +6,7 @@ ENV GOPATH=/go PATH=$PATH:/go/bin
 COPY .  /go/src/metadata/
 RUN go-compile.sh /go/src/metadata
 
-RUN mkdir -p out/tmp out/var out/dev out/etc out/etc/ssl/certs
+RUN mkdir -p out/tmp out/var out/run out/dev out/etc out/etc/ssl/certs
 
 FROM scratch
 ENTRYPOINT []
@@ -15,4 +15,3 @@ WORKDIR /
 COPY --from=mirror /go/bin/metadata /usr/bin/metadata
 COPY --from=mirror /out/ /
 CMD ["/usr/bin/metadata"]
-LABEL org.mobyproject.config='{"binds": ["/dev:/dev", "/var:/var", "/sys:/sys", "/etc/resolv.conf:/etc/resolv.conf", "/etc/ssl/certs:/etc/ssl/certs"], "tmpfs": ["/tmp"], "readonly": true, "capabilities": ["CAP_SYS_ADMIN", "CAP_NET_ADMIN"]}'
diff --git a/pkg/metadata/build.yml b/pkg/metadata/build.yml
index 60df83ac5..cf0f1d552 100644
--- a/pkg/metadata/build.yml
+++ b/pkg/metadata/build.yml
@@ -1 +1,15 @@
 image: metadata
+config:
+  binds:
+    - /dev:/dev
+    - /var:/var
+    - /run:/run
+    - /sys:/sys
+    - /etc/resolv.conf:/etc/resolv.conf
+    - /etc/ssl/certs:/etc/ssl/certs
+  tmpfs:
+    - /tmp
+  readonly: true
+  capabilities:
+    - CAP_SYS_ADMIN
+    - CAP_NET_ADMIN