diff --git a/examples/docker.yml b/examples/docker.yml
index f2b657bc7..190a004e6 100644
--- a/examples/docker.yml
+++ b/examples/docker.yml
@@ -2,7 +2,7 @@ kernel:
   image: "mobylinux/kernel:4.9.x"
   cmdline: "console=ttyS0 console=tty0 page_poison=1"
 init:
-  - mobylinux/init:c394f4bf59566206e5036798c058a9894a7e0fc8
+  - mobylinux/init:4a731380d1d9b29472c7de165a1cdf93136ab1e7
   - mobylinux/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
   - mobylinux/containerd:c7f6ecdcbcb615a53edee556ba03c7c873bc8488
   - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935
@@ -27,6 +27,15 @@ onboot:
     capabilities:
      - CAP_SYS_ADMIN
      - CAP_MKNOD
+  - name: mount
+    image: "mobylinux/mount:d2669e7c8ddda99fa0618a414d44261eba6e299a"
+    binds:
+     - /dev:/dev
+     - /var:/var:rshared,rbind
+    capabilities:
+     - CAP_SYS_ADMIN
+    rootfsPropagation: shared
+    command: ["/mount.sh", "/var/lib/docker"]
 services:
   - name: rngd
     image: "mobylinux/rngd:3dad6dd43270fa632ac031e99d1947f20b22eec9@sha256:1c93c1db7196f6f71f8e300bc1d15f0376dd18e8891c8789d77c8ff19f3a9a92"
@@ -46,7 +55,7 @@ services:
     net: host
     oomScoreAdj: -800
   - name: docker
-    image: "mobylinux/docker-ce:f6505961df89ca6b5d024f1ac5a6b986359786d1"
+    image: "mobylinux/docker-ce:741bf21513328f674e0cdcaa55492b0b75974e08"
     capabilities:
      - all
     net: host
@@ -54,7 +63,7 @@ services:
      - type: cgroup
        options: ["rw","nosuid","noexec","nodev","relatime"]
     binds:
-     - /dev:/dev
+     - /var/lib/docker:/var/lib/docker
      - /lib/modules:/lib/modules
 trust:
   image:
diff --git a/examples/gcp.yml b/examples/gcp.yml
index 7d8445298..c97ead4df 100644
--- a/examples/gcp.yml
+++ b/examples/gcp.yml
@@ -2,7 +2,7 @@ kernel:
   image: "mobylinux/kernel:4.9.x"
   cmdline: "console=ttyS0 page_poison=1"
 init:
-  - mobylinux/init:c394f4bf59566206e5036798c058a9894a7e0fc8
+  - mobylinux/init:4a731380d1d9b29472c7de165a1cdf93136ab1e7
   - mobylinux/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
   - mobylinux/containerd:c7f6ecdcbcb615a53edee556ba03c7c873bc8488
   - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935
diff --git a/examples/sshd.yml b/examples/sshd.yml
index 5d9273c8b..26f869e38 100644
--- a/examples/sshd.yml
+++ b/examples/sshd.yml
@@ -2,7 +2,7 @@ kernel:
   image: "mobylinux/kernel:4.9.x"
   cmdline: "console=ttyS0 page_poison=1"
 init:
-  - mobylinux/init:c394f4bf59566206e5036798c058a9894a7e0fc8
+  - mobylinux/init:4a731380d1d9b29472c7de165a1cdf93136ab1e7
   - mobylinux/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
   - mobylinux/containerd:c7f6ecdcbcb615a53edee556ba03c7c873bc8488
   - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935
diff --git a/examples/vmware.yml b/examples/vmware.yml
index f86d2aecd..3ab2b9bb6 100644
--- a/examples/vmware.yml
+++ b/examples/vmware.yml
@@ -2,7 +2,7 @@ kernel:
   image: "mobylinux/kernel:4.9.x"
   cmdline: "console=tty0 page_poison=1"
 init:
-  - mobylinux/init:c394f4bf59566206e5036798c058a9894a7e0fc8
+  - mobylinux/init:4a731380d1d9b29472c7de165a1cdf93136ab1e7
   - mobylinux/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
   - mobylinux/containerd:c7f6ecdcbcb615a53edee556ba03c7c873bc8488
   - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935
diff --git a/moby.yml b/moby.yml
index c359bef44..64204448e 100644
--- a/moby.yml
+++ b/moby.yml
@@ -2,7 +2,7 @@ kernel:
   image: "mobylinux/kernel:4.9.x"
   cmdline: "console=ttyS0 console=tty0 page_poison=1"
 init:
-  - mobylinux/init:c394f4bf59566206e5036798c058a9894a7e0fc8
+  - mobylinux/init:4a731380d1d9b29472c7de165a1cdf93136ab1e7
   - mobylinux/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
   - mobylinux/containerd:c7f6ecdcbcb615a53edee556ba03c7c873bc8488
   - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935
diff --git a/pkg/docker-ce/Dockerfile b/pkg/docker-ce/Dockerfile
index 45a44e176..2fb298809 100644
--- a/pkg/docker-ce/Dockerfile
+++ b/pkg/docker-ce/Dockerfile
@@ -38,7 +38,5 @@ RUN set -x \
 	&& rm docker.tgz \
 	&& docker -v
 
-COPY . ./
-
 # use the Docker copy of tini as our init for zombie reaping
-ENTRYPOINT ["/usr/bin/docker-init", "/bin/sh", "/docker.sh"]
+ENTRYPOINT ["/usr/bin/docker-init", "/usr/bin/dockerd"]
diff --git a/pkg/docker-ce/Makefile b/pkg/docker-ce/Makefile
index 1cca96610..d3fcb0869 100644
--- a/pkg/docker-ce/Makefile
+++ b/pkg/docker-ce/Makefile
@@ -5,7 +5,7 @@ IMAGE=docker-ce
 
 default: push
 
-hash: Dockerfile docker.sh
+hash: Dockerfile
 	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
 	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
 	docker run --entrypoint /bin/sh --rm $(IMAGE):build -c 'cat $^ /lib/apk/db/installed | sha1sum' | sed 's/ .*//' > $@
diff --git a/pkg/init/etc/init.d/rcS b/pkg/init/etc/init.d/rcS
index 7dd576c2f..8553cdba8 100755
--- a/pkg/init/etc/init.d/rcS
+++ b/pkg/init/etc/init.d/rcS
@@ -107,11 +107,17 @@ mkdir /tmp/etc
 mv /etc/resolv.conf /tmp/etc/resolv.conf
 ln -snf /tmp/etc/resolv.conf /etc/resolv.conf
 
+# mount rootfs as rshared
+mount --make-rshared /
+
 # remount rootfs as readonly
 mount -o remount,ro /
 
-# bind and remount containers and var as read-write
+# bind and remount containers as read-write but private
 mount -o bind /containers /containers
-mount -o bind /var /var
 mount -o remount,rw,relatime /containers /containers
-mount -o remount,rw,nodev,nosuid,relatime /var /var
+mount --make-private /containers
+
+# make /var its own tmpfs mount point
+mount -n -t tmpfs var /var -o nodev,nosuid,noexec,relatime,size=10%,mode=755
+mount --make-rshared /var
diff --git a/pkg/mount/Dockerfile b/pkg/mount/Dockerfile
new file mode 100644
index 000000000..8b5098209
--- /dev/null
+++ b/pkg/mount/Dockerfile
@@ -0,0 +1,11 @@
+FROM alpine:3.5
+
+RUN \
+  apk update && apk upgrade -a && \
+  apk add --no-cache \
+  jq \
+  sfdisk \
+  && true
+
+COPY . ./
+CMD ["/bin/sh", "/mount.sh"]
diff --git a/pkg/mount/Makefile b/pkg/mount/Makefile
new file mode 100644
index 000000000..13d9efd9f
--- /dev/null
+++ b/pkg/mount/Makefile
@@ -0,0 +1,29 @@
+.PHONY: tag push
+
+BASE=alpine:3.5
+IMAGE=mount
+
+default: push
+
+hash: Dockerfile mount.sh
+	DOCKER_CONTENT_TRUST=1 docker pull $(BASE)
+	tar cf - $^ | docker build --no-cache -t $(IMAGE):build -
+	docker run --rm --entrypoint /bin/sh $(IMAGE):build -c "cat $^ /lib/apk/db/installed | sha1sum" | sed 's/ .*//' > $@
+
+push: hash
+	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
+		(docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash) && \
+		 docker push mobylinux/$(IMAGE):$(shell cat hash))
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+tag: hash
+	docker pull mobylinux/$(IMAGE):$(shell cat hash) || \
+		docker tag $(IMAGE):build mobylinux/$(IMAGE):$(shell cat hash)
+	docker rmi $(IMAGE):build
+	rm -f hash
+
+clean:
+	rm -f hash
+
+.DELETE_ON_ERROR:
diff --git a/pkg/docker-ce/docker.sh b/pkg/mount/mount.sh
similarity index 80%
rename from pkg/docker-ce/docker.sh
rename to pkg/mount/mount.sh
index 5ab37b090..724d594a9 100755
--- a/pkg/docker-ce/docker.sh
+++ b/pkg/mount/mount.sh
@@ -2,12 +2,14 @@
 
 set -x
 
+MOUNTPOINT="$1"
+
+[ -z "$MOUNTPOINT" ] && echo "No mountpoint specified" && exit 1
+
+mkdir -p "$MOUNTPOINT"
+
 mount_drive()
 {
-	MOUNTPOINT=/var/lib/docker
-
-	mkdir -p "$MOUNTPOINT"
-
 	# TODO fix for multiple disks, cdroms etc
 	DEVS="$(find /dev -maxdepth 1 -type b ! -name 'loop*' ! -name 'nbd*' | grep -v '[0-9]$' | sed 's@.*/dev/@@' | sort)"
 
@@ -28,11 +30,6 @@ mount_drive()
 	done
 
 	echo "WARNING: Failed to mount a persistent volume (is there one?)"
-
-	# not sure if we want to fatally bail here, in some debug situations it is ok
-	# exit 1
 }
 
 mount_drive
-
-exec /usr/bin/dockerd
diff --git a/test/ltp/test-ltp.yml b/test/ltp/test-ltp.yml
index 23154d02f..82214cc67 100644
--- a/test/ltp/test-ltp.yml
+++ b/test/ltp/test-ltp.yml
@@ -2,7 +2,7 @@ kernel:
   image: "mobylinux/kernel:4.9.x"
   cmdline: "console=ttyS0"
 init:
-  - mobylinux/init:c394f4bf59566206e5036798c058a9894a7e0fc8
+  - mobylinux/init:4a731380d1d9b29472c7de165a1cdf93136ab1e7
   - mobylinux/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
   - mobylinux/containerd:c7f6ecdcbcb615a53edee556ba03c7c873bc8488
   - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935
diff --git a/test/test.yml b/test/test.yml
index d1cc9cb34..4cc66724b 100644
--- a/test/test.yml
+++ b/test/test.yml
@@ -2,7 +2,7 @@ kernel:
   image: "mobylinux/kernel:4.9.x"
   cmdline: "console=ttyS0"
 init:
-  - mobylinux/init:c394f4bf59566206e5036798c058a9894a7e0fc8
+  - mobylinux/init:4a731380d1d9b29472c7de165a1cdf93136ab1e7
   - mobylinux/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
   - mobylinux/containerd:c7f6ecdcbcb615a53edee556ba03c7c873bc8488
   - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935
diff --git a/test/virtsock/test-virtsock-server.yml b/test/virtsock/test-virtsock-server.yml
index 3284cf21c..e2095e8f5 100644
--- a/test/virtsock/test-virtsock-server.yml
+++ b/test/virtsock/test-virtsock-server.yml
@@ -6,7 +6,7 @@ kernel:
   image: "mobylinux/kernel:4.9.x"
   cmdline: "console=ttyS0 page_poison=1"
 init:
-  - mobylinux/init:c394f4bf59566206e5036798c058a9894a7e0fc8
+  - mobylinux/init:4a731380d1d9b29472c7de165a1cdf93136ab1e7
   - mobylinux/runc:b0fb122e10dbb7e4e45115177a61a3f8d68c19a9
   - mobylinux/containerd:c7f6ecdcbcb615a53edee556ba03c7c873bc8488
   - mobylinux/ca-certificates:eabc5a6e59f05aa91529d80e9a595b85b046f935