diff --git a/.etckeeper b/.etckeeper
index cf62e6f..1d9496a 100755
--- a/.etckeeper
+++ b/.etckeeper
@@ -126,6 +126,8 @@ maybe chmod 0644 'console-setup/compose.KOI8-U.inc'
 maybe chmod 0644 'console-setup/compose.TIS-620.inc'
 maybe chmod 0644 'console-setup/compose.VISCII.inc'
 maybe chmod 0644 'console-setup/remap.inc'
+maybe chmod 0755 'containerd'
+maybe chmod 0644 'containerd/config.toml'
 maybe chmod 0755 'cron.d'
 maybe chmod 0644 'cron.d/.placeholder'
 maybe chmod 0755 'cron.daily'
@@ -165,6 +167,7 @@ maybe chmod 0644 'default/console-setup'
 maybe chmod 0644 'default/crda'
 maybe chmod 0644 'default/cron'
 maybe chmod 0644 'default/dbus'
+maybe chmod 0644 'default/docker'
 maybe chmod 0644 'default/fake-hwclock'
 maybe chmod 0644 'default/hwclock'
 maybe chmod 0644 'default/keyboard'
@@ -193,6 +196,8 @@ maybe chmod 0644 'dhcp/dhclient.conf'
 maybe chgrp 'netdev' 'dhcpcd.conf'
 maybe chmod 0664 'dhcpcd.conf'
 maybe chmod 0644 'dhcpcd.conf.orig'
+maybe chmod 0755 'docker'
+maybe chmod 0600 'docker/key.json'
 maybe chmod 0644 'dphys-swapfile'
 maybe chmod 0755 'dpkg'
 maybe chmod 0644 'dpkg/dpkg.cfg'
@@ -289,6 +294,7 @@ maybe chmod 0755 'init.d/console-setup.sh'
 maybe chmod 0755 'init.d/cron'
 maybe chmod 0755 'init.d/dbus'
 maybe chmod 0755 'init.d/dhcpcd'
+maybe chmod 0755 'init.d/docker'
 maybe chmod 0755 'init.d/dphys-swapfile'
 maybe chmod 0755 'init.d/fake-hwclock'
 maybe chmod 0755 'init.d/hwclock.sh'
@@ -308,6 +314,7 @@ maybe chmod 0755 'init.d/ssh'
 maybe chmod 0755 'init.d/sudo'
 maybe chmod 0755 'init.d/triggerhappy'
 maybe chmod 0755 'init.d/udev'
+maybe chmod 0644 'init/docker.conf'
 maybe chmod 0644 'init/paxctld.conf'
 maybe chmod 0755 'initramfs-tools'
 maybe chmod 0755 'initramfs-tools/conf.d'
diff --git a/containerd/config.toml b/containerd/config.toml
new file mode 100644
index 0000000..ccbbd5b
--- /dev/null
+++ b/containerd/config.toml
@@ -0,0 +1,31 @@
+#   Copyright 2018-2020 Docker Inc.
+
+#   Licensed under the Apache License, Version 2.0 (the "License");
+#   you may not use this file except in compliance with the License.
+#   You may obtain a copy of the License at
+
+#       http://www.apache.org/licenses/LICENSE-2.0
+
+#   Unless required by applicable law or agreed to in writing, software
+#   distributed under the License is distributed on an "AS IS" BASIS,
+#   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#   See the License for the specific language governing permissions and
+#   limitations under the License.
+
+disabled_plugins = ["cri"]
+
+#root = "/var/lib/containerd"
+#state = "/run/containerd"
+#subreaper = true
+#oom_score = 0
+
+#[grpc]
+#  address = "/run/containerd/containerd.sock"
+#  uid = 0
+#  gid = 0
+
+#[debug]
+#  address = "/run/containerd/debug.sock"
+#  uid = 0
+#  gid = 0
+#  level = "info"
diff --git a/default/docker b/default/docker
new file mode 100644
index 0000000..c4e9319
--- /dev/null
+++ b/default/docker
@@ -0,0 +1,20 @@
+# Docker Upstart and SysVinit configuration file
+
+#
+# THIS FILE DOES NOT APPLY TO SYSTEMD
+#
+#   Please see the documentation for "systemd drop-ins":
+#   https://docs.docker.com/engine/admin/systemd/
+#
+
+# Customize location of Docker binary (especially for development testing).
+#DOCKERD="/usr/local/bin/dockerd"
+
+# Use DOCKER_OPTS to modify the daemon startup options.
+#DOCKER_OPTS="--dns 8.8.8.8 --dns 8.8.4.4"
+
+# If you need Docker to use an HTTP proxy, it can also be specified here.
+#export http_proxy="http://127.0.0.1:3128/"
+
+# This is also a handy place to tweak where Docker's temporary files go.
+#export DOCKER_TMPDIR="/mnt/bigdrive/docker-tmp"
diff --git a/docker/key.json b/docker/key.json
new file mode 100644
index 0000000..b3267b1
--- /dev/null
+++ b/docker/key.json
@@ -0,0 +1 @@
+{"crv":"P-256","d":"G1AuOtGPLty8a2dUgZvoExuAXDvNHw-ud6-sO_vu83c","kid":"IROT:IF5E:APXY:WM7I:RGRJ:JR3P:4WQQ:XVR6:EN4Y:VX5D:KTD2:TBBW","kty":"EC","x":"iUWKYfXOaA88Ss4NhVs9P3znn1eP27Xl2uRwWx9ycLs","y":"p52ZVR_preUCrCzyO95YBV9sSPLQHMqxbgUqanDErxM"}
\ No newline at end of file
diff --git a/group b/group
index cf1de36..3ca2508 100644
--- a/group
+++ b/group
@@ -55,3 +55,4 @@ i2c:x:998:ariane
 gpio:x:997:ariane
 systemd-coredump:x:996:
 ariane:x:1001:
+docker:x:995:
diff --git a/group- b/group-
index b456526..cf1de36 100644
--- a/group-
+++ b/group-
@@ -2,7 +2,7 @@ root:x:0:
 daemon:x:1:
 bin:x:2:
 sys:x:3:
-adm:x:4:pi,ariane
+adm:x:4:ariane
 tty:x:5:
 disk:x:6:
 lp:x:7:
@@ -12,14 +12,14 @@ uucp:x:10:
 man:x:12:
 proxy:x:13:
 kmem:x:15:
-dialout:x:20:pi,ariane
+dialout:x:20:ariane
 fax:x:21:
 voice:x:22:
-cdrom:x:24:pi,ariane
+cdrom:x:24:ariane
 floppy:x:25:
 tape:x:26:
-sudo:x:27:pi,ariane
-audio:x:29:pi,ariane
+sudo:x:27:ariane
+audio:x:29:ariane
 dip:x:30:
 www-data:x:33:
 backup:x:34:
@@ -30,29 +30,28 @@ src:x:40:
 gnats:x:41:
 shadow:x:42:
 utmp:x:43:
-video:x:44:pi,ariane
+video:x:44:ariane
 sasl:x:45:
-plugdev:x:46:pi,ariane
+plugdev:x:46:ariane
 staff:x:50:
-games:x:60:pi,ariane
-users:x:100:pi,ariane
+games:x:60:ariane
+users:x:100:ariane
 nogroup:x:65534:
 systemd-journal:x:101:
 systemd-timesync:x:102:
 systemd-network:x:103:
 systemd-resolve:x:104:
-input:x:105:pi,ariane
+input:x:105:ariane
 kvm:x:106:
 render:x:107:
 crontab:x:108:
-netdev:x:109:pi,ariane
-pi:x:1000:
+netdev:x:109:ariane
 messagebus:x:110:
 ssh:x:111:
 bluetooth:x:112:
 avahi:x:113:
-spi:x:999:pi,ariane
-i2c:x:998:pi,ariane
-gpio:x:997:pi,ariane
+spi:x:999:ariane
+i2c:x:998:ariane
+gpio:x:997:ariane
 systemd-coredump:x:996:
 ariane:x:1001:
diff --git a/gshadow b/gshadow
index e5b7d48..bfa8eac 100644
--- a/gshadow
+++ b/gshadow
@@ -55,3 +55,4 @@ i2c:!::ariane
 gpio:!::ariane
 systemd-coredump:!!::
 ariane:!::
+docker:!::
diff --git a/gshadow- b/gshadow-
index 890dd82..e5b7d48 100644
--- a/gshadow-
+++ b/gshadow-
@@ -2,7 +2,7 @@ root:*::
 daemon:*::
 bin:*::
 sys:*::
-adm:*::pi,ariane
+adm:*::ariane
 tty:*::
 disk:*::
 lp:*::
@@ -12,14 +12,14 @@ uucp:*::
 man:*::
 proxy:*::
 kmem:*::
-dialout:*::pi,ariane
+dialout:*::ariane
 fax:*::
 voice:*::
-cdrom:*::pi,ariane
+cdrom:*::ariane
 floppy:*::
 tape:*::
-sudo:*::pi,ariane
-audio:*::pi,ariane
+sudo:*::ariane
+audio:*::ariane
 dip:*::
 www-data:*::
 backup:*::
@@ -30,29 +30,28 @@ src:*::
 gnats:*::
 shadow:*::
 utmp:*::
-video:*::pi,ariane
+video:*::ariane
 sasl:*::
-plugdev:*::pi,ariane
+plugdev:*::ariane
 staff:*::
-games:*::pi,ariane
-users:*::pi,ariane
+games:*::ariane
+users:*::ariane
 nogroup:*::
 systemd-journal:!::
 systemd-timesync:!::
 systemd-network:!::
 systemd-resolve:!::
-input:!::pi,ariane
+input:!::ariane
 kvm:!::
 render:!::
 crontab:!::
-netdev:!::pi,ariane
-pi:!::
+netdev:!::ariane
 messagebus:!::
 ssh:!::
 bluetooth:!::
 avahi:!::
-spi:!::pi,ariane
-i2c:!::pi,ariane
-gpio:!::pi,ariane
+spi:!::ariane
+i2c:!::ariane
+gpio:!::ariane
 systemd-coredump:!!::
 ariane:!::
diff --git a/init.d/docker b/init.d/docker
new file mode 100755
index 0000000..9c8fa6b
--- /dev/null
+++ b/init.d/docker
@@ -0,0 +1,156 @@
+#!/bin/sh
+set -e
+
+### BEGIN INIT INFO
+# Provides:           docker
+# Required-Start:     $syslog $remote_fs
+# Required-Stop:      $syslog $remote_fs
+# Should-Start:       cgroupfs-mount cgroup-lite
+# Should-Stop:        cgroupfs-mount cgroup-lite
+# Default-Start:      2 3 4 5
+# Default-Stop:       0 1 6
+# Short-Description:  Create lightweight, portable, self-sufficient containers.
+# Description:
+#  Docker is an open-source project to easily create lightweight, portable,
+#  self-sufficient containers from any application. The same container that a
+#  developer builds and tests on a laptop can run at scale, in production, on
+#  VMs, bare metal, OpenStack clusters, public clouds and more.
+### END INIT INFO
+
+export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+
+BASE=docker
+
+# modify these in /etc/default/$BASE (/etc/default/docker)
+DOCKERD=/usr/bin/dockerd
+# This is the pid file managed by docker itself
+DOCKER_PIDFILE=/var/run/$BASE.pid
+# This is the pid file created/managed by start-stop-daemon
+DOCKER_SSD_PIDFILE=/var/run/$BASE-ssd.pid
+DOCKER_LOGFILE=/var/log/$BASE.log
+DOCKER_OPTS=
+DOCKER_DESC="Docker"
+
+# Get lsb functions
+. /lib/lsb/init-functions
+
+if [ -f /etc/default/$BASE ]; then
+	. /etc/default/$BASE
+fi
+
+# Check docker is present
+if [ ! -x $DOCKERD ]; then
+	log_failure_msg "$DOCKERD not present or not executable"
+	exit 1
+fi
+
+check_init() {
+	# see also init_is_upstart in /lib/lsb/init-functions (which isn't available in Ubuntu 12.04, or we'd use it directly)
+	if [ -x /sbin/initctl ] && /sbin/initctl version 2>/dev/null | grep -q upstart; then
+		log_failure_msg "$DOCKER_DESC is managed via upstart, try using service $BASE $1"
+		exit 1
+	fi
+}
+
+fail_unless_root() {
+	if [ "$(id -u)" != '0' ]; then
+		log_failure_msg "$DOCKER_DESC must be run as root"
+		exit 1
+	fi
+}
+
+cgroupfs_mount() {
+	# see also https://github.com/tianon/cgroupfs-mount/blob/master/cgroupfs-mount
+	if grep -v '^#' /etc/fstab | grep -q cgroup \
+		|| [ ! -e /proc/cgroups ] \
+		|| [ ! -d /sys/fs/cgroup ]; then
+		return
+	fi
+	if ! mountpoint -q /sys/fs/cgroup; then
+		mount -t tmpfs -o uid=0,gid=0,mode=0755 cgroup /sys/fs/cgroup
+	fi
+	(
+		cd /sys/fs/cgroup
+		for sys in $(awk '!/^#/ { if ($4 == 1) print $1 }' /proc/cgroups); do
+			mkdir -p $sys
+			if ! mountpoint -q $sys; then
+				if ! mount -n -t cgroup -o $sys cgroup $sys; then
+					rmdir $sys || true
+				fi
+			fi
+		done
+	)
+}
+
+case "$1" in
+	start)
+		check_init
+		
+		fail_unless_root
+
+		cgroupfs_mount
+
+		touch "$DOCKER_LOGFILE"
+		chgrp docker "$DOCKER_LOGFILE"
+
+		ulimit -n 1048576
+
+		# Having non-zero limits causes performance problems due to accounting overhead
+		# in the kernel. We recommend using cgroups to do container-local accounting.
+		if [ "$BASH" ]; then
+			ulimit -u unlimited
+		else
+			ulimit -p unlimited
+		fi
+
+		log_begin_msg "Starting $DOCKER_DESC: $BASE"
+		start-stop-daemon --start --background \
+			--no-close \
+			--exec "$DOCKERD" \
+			--pidfile "$DOCKER_SSD_PIDFILE" \
+			--make-pidfile \
+			-- \
+				-p "$DOCKER_PIDFILE" \
+				$DOCKER_OPTS \
+					>> "$DOCKER_LOGFILE" 2>&1
+		log_end_msg $?
+		;;
+
+	stop)
+		check_init
+		fail_unless_root
+		if [ -f "$DOCKER_SSD_PIDFILE" ]; then
+			log_begin_msg "Stopping $DOCKER_DESC: $BASE"
+			start-stop-daemon --stop --pidfile "$DOCKER_SSD_PIDFILE" --retry 10
+			log_end_msg $?
+		else
+			log_warning_msg "Docker already stopped - file $DOCKER_SSD_PIDFILE not found."
+		fi
+		;;
+
+	restart)
+		check_init
+		fail_unless_root
+		docker_pid=`cat "$DOCKER_SSD_PIDFILE" 2>/dev/null`
+		[ -n "$docker_pid" ] \
+			&& ps -p $docker_pid > /dev/null 2>&1 \
+			&& $0 stop
+		$0 start
+		;;
+
+	force-reload)
+		check_init
+		fail_unless_root
+		$0 restart
+		;;
+
+	status)
+		check_init
+		status_of_proc -p "$DOCKER_SSD_PIDFILE" "$DOCKERD" "$DOCKER_DESC"
+		;;
+
+	*)
+		echo "Usage: service docker {start|stop|restart|status}"
+		exit 1
+		;;
+esac
diff --git a/init/docker.conf b/init/docker.conf
new file mode 100644
index 0000000..d58f7d6
--- /dev/null
+++ b/init/docker.conf
@@ -0,0 +1,72 @@
+description "Docker daemon"
+
+start on (filesystem and net-device-up IFACE!=lo)
+stop on runlevel [!2345]
+
+limit nofile 524288 1048576
+
+# Having non-zero limits causes performance problems due to accounting overhead
+# in the kernel. We recommend using cgroups to do container-local accounting.
+limit nproc unlimited unlimited
+
+respawn
+
+kill timeout 20
+
+pre-start script
+	# see also https://github.com/tianon/cgroupfs-mount/blob/master/cgroupfs-mount
+	if grep -v '^#' /etc/fstab | grep -q cgroup \
+		|| [ ! -e /proc/cgroups ] \
+		|| [ ! -d /sys/fs/cgroup ]; then
+		exit 0
+	fi
+	if ! mountpoint -q /sys/fs/cgroup; then
+		mount -t tmpfs -o uid=0,gid=0,mode=0755 cgroup /sys/fs/cgroup
+	fi
+	(
+		cd /sys/fs/cgroup
+		for sys in $(awk '!/^#/ { if ($4 == 1) print $1 }' /proc/cgroups); do
+			mkdir -p $sys
+			if ! mountpoint -q $sys; then
+				if ! mount -n -t cgroup -o $sys cgroup $sys; then
+					rmdir $sys || true
+				fi
+			fi
+		done
+	)
+end script
+
+script
+	# modify these in /etc/default/$UPSTART_JOB (/etc/default/docker)
+	DOCKERD=/usr/bin/dockerd
+	DOCKER_OPTS=
+	if [ -f /etc/default/$UPSTART_JOB ]; then
+		. /etc/default/$UPSTART_JOB
+	fi
+	exec "$DOCKERD" $DOCKER_OPTS --raw-logs
+end script
+
+# Don't emit "started" event until docker.sock is ready.
+# See https://github.com/docker/docker/issues/6647
+post-start script
+	DOCKER_OPTS=
+	DOCKER_SOCKET=
+	if [ -f /etc/default/$UPSTART_JOB ]; then
+		. /etc/default/$UPSTART_JOB
+	fi
+
+	if ! printf "%s" "$DOCKER_OPTS" | grep -qE -e '-H|--host'; then
+		DOCKER_SOCKET=/var/run/docker.sock
+	else
+		DOCKER_SOCKET=$(printf "%s" "$DOCKER_OPTS" | grep -oP -e '(-H|--host)\W*unix://\K(\S+)' | sed 1q)
+	fi
+
+	if [ -n "$DOCKER_SOCKET" ]; then
+		while ! [ -e "$DOCKER_SOCKET" ]; do
+			initctl status $UPSTART_JOB | grep -qE "(stop|respawn)/" && exit 1
+			echo "Waiting for $DOCKER_SOCKET"
+			sleep 0.1
+		done
+		echo "$DOCKER_SOCKET is up"
+	fi
+end script
diff --git a/rc0.d/K01docker b/rc0.d/K01docker
new file mode 120000
index 0000000..567023b
--- /dev/null
+++ b/rc0.d/K01docker
@@ -0,0 +1 @@
+../init.d/docker
\ No newline at end of file
diff --git a/rc1.d/K01docker b/rc1.d/K01docker
new file mode 120000
index 0000000..567023b
--- /dev/null
+++ b/rc1.d/K01docker
@@ -0,0 +1 @@
+../init.d/docker
\ No newline at end of file
diff --git a/rc2.d/S01docker b/rc2.d/S01docker
new file mode 120000
index 0000000..567023b
--- /dev/null
+++ b/rc2.d/S01docker
@@ -0,0 +1 @@
+../init.d/docker
\ No newline at end of file
diff --git a/rc3.d/S01docker b/rc3.d/S01docker
new file mode 120000
index 0000000..567023b
--- /dev/null
+++ b/rc3.d/S01docker
@@ -0,0 +1 @@
+../init.d/docker
\ No newline at end of file
diff --git a/rc4.d/S01docker b/rc4.d/S01docker
new file mode 120000
index 0000000..567023b
--- /dev/null
+++ b/rc4.d/S01docker
@@ -0,0 +1 @@
+../init.d/docker
\ No newline at end of file
diff --git a/rc5.d/S01docker b/rc5.d/S01docker
new file mode 120000
index 0000000..567023b
--- /dev/null
+++ b/rc5.d/S01docker
@@ -0,0 +1 @@
+../init.d/docker
\ No newline at end of file
diff --git a/rc6.d/K01docker b/rc6.d/K01docker
new file mode 120000
index 0000000..567023b
--- /dev/null
+++ b/rc6.d/K01docker
@@ -0,0 +1 @@
+../init.d/docker
\ No newline at end of file
diff --git a/systemd/system/multi-user.target.wants/containerd.service b/systemd/system/multi-user.target.wants/containerd.service
new file mode 120000
index 0000000..7e11de0
--- /dev/null
+++ b/systemd/system/multi-user.target.wants/containerd.service
@@ -0,0 +1 @@
+/lib/systemd/system/containerd.service
\ No newline at end of file
diff --git a/systemd/system/multi-user.target.wants/docker.service b/systemd/system/multi-user.target.wants/docker.service
new file mode 120000
index 0000000..a06e3f5
--- /dev/null
+++ b/systemd/system/multi-user.target.wants/docker.service
@@ -0,0 +1 @@
+/lib/systemd/system/docker.service
\ No newline at end of file
diff --git a/systemd/system/sockets.target.wants/docker.socket b/systemd/system/sockets.target.wants/docker.socket
new file mode 120000
index 0000000..6d81ae1
--- /dev/null
+++ b/systemd/system/sockets.target.wants/docker.socket
@@ -0,0 +1 @@
+/lib/systemd/system/docker.socket
\ No newline at end of file