@@ -75,6 +75,7 @@ type Opt struct {

 	DefaultCgroupParent string

 	ResolverOpt         resolver.ResolveOptionsFunc

 	BuilderConfig       config.BuilderConfig

+	Rootless            bool

 }

 // Builder can build using BuildKit backend

@@ -107,7 +107,7 @@ func newController(rt http.RoundTripper, opt Opt) (*control.Controller, error) {

 		return nil, err

 	}

-	exec, err := newExecutor(root, opt.DefaultCgroupParent, opt.NetworkController)

+	exec, err := newExecutor(root, opt.DefaultCgroupParent, opt.NetworkController, opt.Rootless)

 	if err != nil {

 		return nil, err

 	}

@@ -20,9 +20,9 @@ import (

 const networkName = "bridge"

-func newExecutor(root, cgroupParent string, net libnetwork.NetworkController) (executor.Executor, error) {

+func newExecutor(root, cgroupParent string, net libnetwork.NetworkController, rootless bool) (executor.Executor, error) {

 	networkProviders := map[pb.NetMode]network.Provider{

-		pb.NetMode_UNSET: &bridgeProvider{NetworkController: net},

+		pb.NetMode_UNSET: &bridgeProvider{NetworkController: net, Root: filepath.Join(root, "net")},

 		pb.NetMode_HOST:  network.NewHostProvider(),

 		pb.NetMode_NONE:  network.NewNoneProvider(),

 	}

@@ -30,11 +30,13 @@ func newExecutor(root, cgroupParent string, net libnetwork.NetworkController) (e

 		Root:                filepath.Join(root, "executor"),

 		CommandCandidates:   []string{"runc"},

 		DefaultCgroupParent: cgroupParent,

+		Rootless:            rootless,

 	}, networkProviders)

 }

 type bridgeProvider struct {

 	libnetwork.NetworkController

+	Root string

 }

 func (p *bridgeProvider) New() (network.Namespace, error) {

@@ -70,7 +72,8 @@ func (iface *lnInterface) init(c libnetwork.NetworkController, n libnetwork.Netw

 		return

 	}

-	sbx, err := c.NewSandbox(id, libnetwork.OptionUseExternalKey())

+	sbx, err := c.NewSandbox(id, libnetwork.OptionUseExternalKey(), libnetwork.OptionHostsPath(filepath.Join(iface.provider.Root, id, "hosts")),

+		libnetwork.OptionResolvConfPath(filepath.Join(iface.provider.Root, id, "resolv.conf")))

 	if err != nil {

 		iface.err = err

 		return

@@ -88,23 +91,26 @@ func (iface *lnInterface) init(c libnetwork.NetworkController, n libnetwork.Netw

 func (iface *lnInterface) Set(s *specs.Spec) {

 	<-iface.ready

 	if iface.err != nil {

+		logrus.WithError(iface.err).Error("failed to set networking spec")

 		return

 	}

 	// attach netns to bridge within the container namespace, using reexec in a prestart hook

 	s.Hooks = &specs.Hooks{

 		Prestart: []specs.Hook{{

 			Path: filepath.Join("/proc", strconv.Itoa(os.Getpid()), "exe"),

-			Args: []string{"libnetwork-setkey", iface.sbx.ContainerID(), iface.provider.NetworkController.ID()},

+			Args: []string{"libnetwork-setkey", "-exec-root=" + iface.provider.Config().Daemon.ExecRoot, iface.sbx.ContainerID(), iface.provider.NetworkController.ID()},

 		}},

 	}

 }

 func (iface *lnInterface) Close() error {

 	<-iface.ready

-	go func() {

-		if err := iface.sbx.Delete(); err != nil {

-			logrus.Errorf("failed to delete builder network sandbox: %v", err)

-		}

-	}()

+	if iface.sbx != nil {

+		go func() {

+			if err := iface.sbx.Delete(); err != nil {

+				logrus.Errorf("failed to delete builder network sandbox: %v", err)

+			}

+		}()

+	}

 	return iface.err

 }

@@ -10,7 +10,7 @@ import (

 	"github.com/moby/buildkit/executor"

 )

-func newExecutor(_, _ string, _ libnetwork.NetworkController) (executor.Executor, error) {

+func newExecutor(_, _ string, _ libnetwork.NetworkController, _ bool) (executor.Executor, error) {

 	return &winExecutor{}, nil

 }

@@ -325,6 +325,7 @@ func newRouterOptions(config *config.Config, d *daemon.Daemon) (routerOptions, e

 		DefaultCgroupParent: cgroupParent,

 		ResolverOpt:         d.NewResolveOptionsFunc(),

 		BuilderConfig:       config.Builder,

+		Rootless:            d.Rootless(),

 	})

 	if err != nil {

 		return opts, err

@@ -175,7 +175,7 @@ func (daemon *Daemon) fillSecurityOptions(v *types.Info, sysInfo *sysinfo.SysInf

 	if rootIDs := daemon.idMapping.RootPair(); rootIDs.UID != 0 || rootIDs.GID != 0 {

 		securityOptions = append(securityOptions, "name=userns")

 	}

-	if daemon.configStoreRootless() {

+	if daemon.Rootless() {

 		securityOptions = append(securityOptions, "name=rootless")

 	}

 	v.SecurityOptions = securityOptions

@@ -247,6 +247,7 @@ func parseRuncVersion(v string) (version string, commit string, err error) {

 	return version, commit, err

 }

-func (daemon *Daemon) configStoreRootless() bool {

+// Rootless returns true if daemon is running in rootless mode

+func (daemon *Daemon) Rootless() bool {

 	return daemon.configStore.Rootless

 }

@@ -14,6 +14,7 @@ func (daemon *Daemon) fillPlatformVersion(v *types.Version) {}

 func fillDriverWarnings(v *types.Info) {

 }

-func (daemon *Daemon) configStoreRootless() bool {

+// Rootless returns true if daemon is running in rootless mode

+func (daemon *Daemon) Rootless() bool {

 	return false

 }