diff --git a/src/cmd/linuxkit/vendor.conf b/src/cmd/linuxkit/vendor.conf
index b256832b7..d88d035c3 100644
--- a/src/cmd/linuxkit/vendor.conf
+++ b/src/cmd/linuxkit/vendor.conf
@@ -26,7 +26,7 @@ github.com/moby/datakit 97b3d230535397a813323902c23751e176481a86
 github.com/moby/hyperkit a12cd7250bcd8d689078e3e42ae4a7cf6a0cbaf3
 # When updating also:
 # curl -fsSL -o src/cmd/linuxkit/build.go https://raw.githubusercontent.com/moby/tool/«hash»/cmd/moby/build.go
-github.com/moby/tool 1aca4eefa5fcfb2248e6b2e4ce7251a9a3b5a60a
+github.com/moby/tool f816553d2fc58638f6904fddedd13c36d237b498
 github.com/moby/vpnkit 0e4293bb1058598c4b0a406ed171f52573ef414c
 github.com/opencontainers/go-digest 21dfd564fd89c944783d00d069f33e3e7123c448
 github.com/opencontainers/image-spec v1.0.0
diff --git a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/image.go b/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/image.go
index 22def6cfc..cb1e23be0 100644
--- a/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/image.go
+++ b/src/cmd/linuxkit/vendor/github.com/moby/tool/src/moby/image.go
@@ -229,6 +229,7 @@ func ImageBundle(prefix string, ref *reference.Spec, config []byte, runtime Runt
 		return err
 	}
 
+	var rootfsMounts []specs.Mount
 	if !readonly {
 		// add a tmp directory to be used as a mount point for tmpfs for upper, work
 		tmp := path.Join(prefix, "tmp")
@@ -250,13 +251,12 @@ func ImageBundle(prefix string, ref *reference.Spec, config []byte, runtime Runt
 			return err
 		}
 		overlayOptions := []string{"lowerdir=/" + root, "upperdir=/" + path.Join(tmp, "upper"), "workdir=/" + path.Join(tmp, "work")}
-		runtimeMounts := append(*runtime.Mounts,
-			specs.Mount{Source: "tmpfs", Type: "tmpfs", Destination: "/" + tmp},
+		rootfsMounts = []specs.Mount{
+			{Source: "tmpfs", Type: "tmpfs", Destination: "/" + tmp},
 			// remount private as nothing else should see the temporary layers
-			specs.Mount{Destination: "/" + tmp, Options: []string{"remount", "private"}},
-			specs.Mount{Source: "overlay", Type: "overlay", Destination: "/" + path.Join(prefix, "rootfs"), Options: overlayOptions},
-		)
-		runtime.Mounts = &runtimeMounts
+			{Destination: "/" + tmp, Options: []string{"remount", "private"}},
+			{Source: "overlay", Type: "overlay", Destination: "/" + path.Join(prefix, "rootfs"), Options: overlayOptions},
+		}
 	} else {
 		if foundElsewhere {
 			// we need to make the mountpoint at rootfs
@@ -270,10 +270,15 @@ func ImageBundle(prefix string, ref *reference.Spec, config []byte, runtime Runt
 			}
 		}
 		// either bind from another location, or bind from self to make sure it is a mountpoint as runc prefers this
-		runtimeMounts := append(*runtime.Mounts, specs.Mount{Source: "/" + root, Destination: "/" + path.Join(prefix, "rootfs"), Options: []string{"bind"}})
-		runtime.Mounts = &runtimeMounts
+		rootfsMounts = []specs.Mount{
+			{Source: "/" + root, Destination: "/" + path.Join(prefix, "rootfs"), Options: []string{"bind"}},
+		}
 	}
 
+	// Prepend the rootfs onto the user specified mounts.
+	runtimeMounts := append(rootfsMounts, *runtime.Mounts...)
+	runtime.Mounts = &runtimeMounts
+
 	// write the runtime config
 	runtimeConfig, err := json.MarshalIndent(runtime, "", "    ")
 	if err != nil {