Squashed commit of the following:

commit a65c6f4
Merge: 9d32bc5 ce1b629
Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com>
Date:   Tue Feb 3 20:08:38 2026 -0800

    Merge branch 'apple:main' into main

commit ce1b629
Author: Manoj Mahapatra <mahaplipsa@gmail.com>
Date:   Tue Feb 3 13:43:07 2026 -0800

    [Docs] Fix typo in BUILDING.md: launchd -> launchctl (apple#1146)

    ## Type of Change
    - [ ] Bug fix
    - [ ] New feature
    - [ ] Breaking change
    - [x] Documentation update

    ## Motivation and Context
    The debug instructions in `BUILDING.md` incorrectly reference launchd
    list instead of `launchctl` list. `launchd` is the daemon itself and
    cannot be invoked directly.

    ## Testing
    - [ ] Tested locally
    - [ ] Added/updated tests
    - [x] Added/updated docs

commit 3e49dce
Author: Danny Canter <danny_canter@apple.com>
Date:   Tue Feb 3 00:45:01 2026 -0800

    Add in missing rlimits (apple#1140)

    Containerization didn't have these defined until a recent tag.

commit c4c2e85
Author: J Logan <john_logan@apple.com>
Date:   Tue Feb 3 00:27:09 2026 -0800

    Upgrade kernel to Kata 3.26.0. (apple#1134)

    - Upgrade to containerization 0.24.5 to pick up zstd decompression
    enhancement.
    - Closes apple#767.
    - Closes apple#988.
    - Closes apple#1132.
    - Requires apple/containerization#508.

commit 5c86337
Author: William Laverty <developer@william-laverty.com>
Date:   Mon Feb 2 13:57:59 2026 -0800

    Add explanatory message before admin password prompt in uninstall script (apple#1118)

    - Added message: "This script requires an administrator password to
    remove the application files from system directories."
    - Fixes apple#1111

commit 7da25e1
Author: Danny Canter <danny_canter@apple.com>
Date:   Mon Feb 2 13:35:02 2026 -0800

    Deps: Bump Containerization to 0.24.0 (apple#1127)

    Brings in some rlimit bumps/adjustments

commit 7dfe27d
Author: Danny Canter <danny_canter@apple.com>
Date:   Mon Feb 2 13:30:19 2026 -0800

    CLI: Add support for rlimits (apple#1129)

    Closes apple#1097.

commit b3b5c3e
Author: J Logan <john_logan@apple.com>
Date:   Mon Feb 2 12:24:27 2026 -0800

    Use labels instead of id to discriminate the builtin network. (apple#1123)

    - Closes apple#1122.
    - Adds placeholder ManagedResource and unit tests. Nothing is using
    these yet.
    - Adds system-defined resource labels for owning plugin and resource
    role. The system discriminates the builtin network using role "builtin".
    - Adds builtin role when creating builtin network at startup, and
    ensures that a preexisting network with ID "default" gets updated with
    the role label.
    - Replace all network ID checks for "default" with the builtin role
    check.
    - Adds "builder" role to builder VM.

    ## Type of Change
    - [ ] Bug fix
    - [x] New feature
    - [ ] Breaking change
    - [ ] Documentation update

    ## Motivation and Context
    Role and owner labels should make cross-cutting resource policy easier
    to implement.

    ## Testing
    - [x] Tested locally
    - [x] Added/updated tests
    - [ ] Added/updated docs

commit 1dae1cd
Author: w-ferg <43309695+w-ferg@users.noreply.github.com>
Date:   Sun Feb 1 18:14:41 2026 -0500

    Fix pfctl executable path in PacketFilter DNS reload (apple#1128)

    ## Summary

    The `reload()` method in `PacketFilter.swift` references
    `/sbin/reloadProcess` (the local variable name) instead of
    `/sbin/pfctl`. This causes all DNS create and delete operations to fail:

    ```
    Error: internalError: "pfctl reload exec failed: "Error Domain=NSCocoaErrorDomain Code=4 "The file "reloadProcess" doesn't exist.""
    ```

    ## Fix

    One-line change: `/sbin/reloadProcess` → `/sbin/pfctl`

    ## Testing

    Verified on macOS 26 (Tahoe) with Apple Silicon:
    - `sudo container system dns create test.sdc.internal --localhost
    203.0.113.1` succeeds without error
    - Container can resolve and reach host services through the DNS redirect

commit 113a6ec
Author: Ronit Sabhaya <ronitsabhaya75@gmail.com>
Date:   Fri Jan 30 21:54:57 2026 -0600

    Fix file descriptor leak in DirectoryWatcher (apple#1104)

    - `DirectoryWatcher` opens file descriptors for monitoring
      directories but never closes them, causing a file descriptor
      leak.
    - Adds `setCancelHandler` to properly close file descriptors
      when the `DispatchSource` is cancelled.

    Signed-off-by: Ronit Sabhaya <ronitsabhaya75@gmail.com>

commit 72f04b6
Author: Saehej Kang <saehej.kang@gmail.com>
Date:   Fri Jan 30 19:10:03 2026 -0800

    [docs]: update steps on building with containerization project (apple#1116)

    - Closes apple#1095
    - Just added a few more details about how to build with the local
      `containerization` dependency.

commit 3a0ad58
Author: Raj <rajaryan_singh@apple.com>
Date:   Fri Jan 30 16:17:43 2026 -0800

    Add resource.role label to builder container (apple#1120)

    Add resource.role label to builder container

commit 1c01d0c
Author: J Logan <john_logan@apple.com>
Date:   Fri Jan 30 11:07:49 2026 -0800

    Update to kata 3.20.0 kernel. (apple#1114)

    - Closes apple#1113.
    - This is the newest we can do until we address apple#767.
    - Slight change to PacketFilter error handling so unit tests work more
    reliably.
    - Try making CLINetworkTests serialized to see if parallel execution is
    causing flakes.

commit 3f2060e
Author: Danny Canter <danny_canter@apple.com>
Date:   Thu Jan 29 18:25:48 2026 -0800

    DirectoryWatcher: Small adjustments (apple#1112)

    - Have the handler throw
    - Log the failure at error level

commit 0a7fb07
Author: Danny Canter <danny_canter@apple.com>
Date:   Thu Jan 29 14:21:12 2026 -0800

    Set mtu to old Containerization default (apple#1110)

    The old mtu default in containerization was 1280 to account for some
    alpine/musl images that have issues with
    1500. This changed in the last couple tags to be modifiable, but the new
    default is the standard 1500. Ideally we eventually allow supplying the
    mtu to be used when you create a network (or possibly a container
    creation setting), but for now just default in here back to what CZ used
    to use.

commit 0bceb23
Author: Aditya Ramani <a_ramani@apple.com>
Date:   Thu Jan 29 12:08:42 2026 +0900

    Bump to use containerization 0.23.2 (apple#1106)

    Updating the package dependency on apple/containerization to pick up bug fixes

    Signed-off-by: Aditya Ramani <a_ramani@apple.com>
    Co-authored-by: J Logan <john_logan@apple.com>

commit d762fe5
Author: jwhur <57657645+JaewonHur@users.noreply.github.com>
Date:   Wed Jan 28 18:22:33 2026 -0800

    Launch a service with waitForDebugger if specified (apple#1101)

    This PR enables launching a service with `waitForDebugger` flag if the
    service label matches a given env variable `CONTAINER_DEBUG`.

commit 4f93e3e
Author: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Date:   Wed Jan 28 18:21:08 2026 -0800

    ci: bump actions/checkout from 6.0.1 to 6.0.2 in the github-actions group (apple#1100)

    - Updates `actions/checkout` from 6.0.1 to 6.0.2

    Signed-off-by: dependabot[bot] <support@github.com>
    Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>

commit 371db6d
Author: jwhur <57657645+JaewonHur@users.noreply.github.com>
Date:   Wed Jan 28 17:17:08 2026 -0800

    Fix testExecOnExitingContainer (apple#1107)

    Check the container remains only, not its status as the status might not
    have been updated at the time checking.

commit d872270
Author: J Logan <john_logan@apple.com>
Date:   Wed Jan 28 09:04:58 2026 -0800

    Removes ArgumentParser import from NetworkMode. (apple#1102)

    - ContainerResources shouldn't need to know anything about CLI stuff.
    - Move ExpressibleByArgument protocol conformance to an extension in the
    package where it's needed.

commit 3abf81f
Author: Saehej Kang <saehej.kang@gmail.com>
Date:   Tue Jan 27 20:00:43 2026 -0800

    [image-list]: Add full size field to json output (apple#1098)

    - Refer to apple#862
    - Updated `SIZE` field to `FULL SIZE`, as it seemed more appropriate so
    it does not get mixed up with the `descriptor size` field
    - Closes apple#860

commit 24cbed5
Author: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
Date:   Wed Jan 28 06:55:49 2026 +0800

    Implement container prune (apple#904)

    - Fixed apple#892.
    - By contrast with `rm`, `prune` should display
      the amount of reclaimed storage, so added code
      to retrieve it.

    Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

commit a57527e
Author: jwhur <57657645+JaewonHur@users.noreply.github.com>
Date:   Tue Jan 27 11:15:22 2026 -0800

    Refactor container lifecycle functions to perform scoped rollback on failure (apple#1080)

    - Closes apple#977.
    - Closes apple#1058.
    - Prevents unexpected removal of containers on
      bootstrapping and starting failures, by reorganizing
      error handling for container `run`, `start`, and
      `exec` so that error handling only unwinds that
      which was done in the current scope.
    - Relies on apple/containerization#495.

commit 6244129
Author: c <claudeaceae@icloud.com>
Date:   Mon Jan 26 23:30:45 2026 -0500

    Fix grammar in BUILDING.md (apple#984)

    - Fixes a grammar error in the local Containerization development
    instructions.

commit 9d4cded
Author: jwhur <57657645+JaewonHur@users.noreply.github.com>
Date:   Mon Jan 26 19:35:41 2026 -0800

    Isolated network (apple#1079)

    - Closes apple#1037.
    - Adds a `--mode` flag that has `nat` and `hostOnly` options.
      The host-only option selects the vmnet host-only mode,
      where containers attached to the network can reach each
      other and the host, but not external systems.

commit 033c999
Author: J Logan <john_logan@apple.com>
Date:   Mon Jan 26 14:07:00 2026 -0800

    Make TerminalProgress a library. (apple#1093)

    - Closes apple#1092.
    - Allows 3rd party CLI plugins to use the progress indicator.

commit b371aee
Author: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
Date:   Tue Jan 27 05:07:05 2026 +0800

    Feat: container image delete force option (apple#1096)

    - Fixed apple#1087

    Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

commit ed1185d
Author: jwhur <57657645+JaewonHur@users.noreply.github.com>
Date:   Fri Jan 23 17:59:28 2026 -0800

    Container-to-host networking. (apple#1078)

    - Closes apple#346.
    - This PR enables connecting host's localhost ports from
      containers.
    - It adds an option `--localhost <localhost>` to DNS
      create command, after which the packets heading
      ip address in container are redirected to localhost in
      host machine. Packet filter rule is added and deleted
      along with the creation and deletion of localhost domain.

commit 14c279f
Author: Patrick Linnane <patrick@linnane.io>
Date:   Fri Jan 23 17:56:35 2026 -0800

    Add option to stop services in all launchd domains (apple#1077)

    - Services started from Terminal run in the `gui/$uid`
      launchd domain. When `ensure-container-stopped.sh`
      runs from a different context, `launchctl managername`
      may return a different domain, causing the script to
      check the wrong domain and miss running services.
      I noticed this after upgrading `container` via Homebrew.
    - Introduces a getopt option `-a` that allows booting out all
      domains explicitly. Also adds `-h` for a usage message.

    Signed-off-by: Patrick Linnane <patrick@linnane.io>

commit 751c1fc
Author: Stanislav Antonichev <cympak2@users.noreply.github.com>
Date:   Fri Jan 23 23:01:26 2026 +0200

    Add --dns support to build command for custom DNS resolution (apple#1067)

    This change adds --dns parameter support to the build command, matching
    the existing functionality in the run command. This allows users to
    specify custom DNS nameservers (like Google DNS 8.8.8.8) when building
    container images, which is essential when the host machine uses a local
    DNS resolver (e.g., 127.0.0.2) that doesn't work inside containers.

    Changes:
    - Added --dns option to BuildCommand to accept DNS nameserver IP
    addresses
    - Modified build logic to detect DNS configuration changes and recreate
    the builder container when DNS settings differ
    - Passed DNS configuration to BuilderStart.start() method
    - Updated builder container creation to use specified DNS nameservers or
    fall back to network gateway

    ## Type of Change
    - [ ] Bug fix
    - [X] New feature
    - [ ] Breaking change
    - [ ] Documentation update

    ## Motivation and Context
    This change adds --dns parameter support to the build command, matching
    the existing functionality in the run command. This allows users to
    specify custom DNS nameservers (like Google DNS 8.8.8.8) when building
    container images, which is essential when the host machine uses a local
    DNS resolver (e.g., 127.0.0.2) that doesn't work inside containers.

    ## Testing
    - [X] Tested locally
    - [ ] Added/updated tests
    - [ ] Added/updated docs

    ---------

    Co-authored-by: J Logan <sgtbakerrahulnet@yahoo.com>

commit 55f2112
Author: J Logan <john_logan@apple.com>
Date:   Fri Jan 23 11:35:10 2026 -0800

    Place image store data correctly for app-root path. (apple#1085)

    - Closes apple#1084.

commit 5746ec3
Author: ChengHao Yang <17496418+tico88612@users.noreply.github.com>
Date:   Sat Jan 24 03:32:59 2026 +0800

    Fix: prevent delete default network (apple#1083)

    - Fixed apple#1073
    - Move the conditional check to the front; there's no need
      to check for a default network after filtering.

    Signed-off-by: ChengHao Yang <17496418+tico88612@users.noreply.github.com>

commit 9d32bc5
Merge: a2b4486 69445b9
Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com>
Date:   Mon Jan 19 19:20:12 2026 -0800

    Merge branch 'apple:main' into main

commit a2b4486
Merge: 27a94a0 bfc5ca9
Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com>
Date:   Fri Oct 3 23:03:02 2025 -0700

    Merge branch 'apple:main' into main

commit 27a94a0
Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com>
Date:   Thu Sep 18 17:07:12 2025 -0700

    chore(fmt): auto-format before push

commit 4a4d0a9
Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com>
Date:   Thu Sep 18 17:07:06 2025 -0700

    Update PropertySet.swift

commit 665d813
Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com>
Date:   Thu Sep 18 17:02:09 2025 -0700

    Update PropertySet.swift

commit 01a474e
Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com>
Date:   Thu Sep 18 16:57:41 2025 -0700

    chore(fmt): auto-format before push

commit e7c68b5
Author: Morris Richman <81453549+Mcrich23@users.noreply.github.com>
Date:   Thu Sep 18 16:57:01 2025 -0700

    Update SystemProperty.swift

Author: Mcrich23

.github/workflows/common.yml

@@ -22,7 +22,7 @@ jobs:
       packages: read
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
         with:
           fetch-depth: 0
 

.github/workflows/pr-label-apply.yml

@@ -20,7 +20,7 @@ jobs:
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Download PR metadata artifact
         uses: actions/download-artifact@37930b1c2abaa49bbe596cd826c3c89aef350131 # v7

BUILDING.md

@@ -58,19 +58,27 @@ to prepare your build environment.
     bin/container system stop
     ```
 
-4. Use the Swift package manager to configure use your local `containerization` package and update your `Package.resolved` file.
+4. Reconfigure the Swift project to use your local `containerization` package and update your `Package.resolved` file.
 
     ```bash
     /usr/bin/swift package edit --path ../containerization containerization
     /usr/bin/swift package update containerization
     ```
 
     > [!IMPORTANT]
-    > If you are using Xcode, you will need to temporarily modify `Package.swift` instead of using `swift package edit`, using a path dependency in place of the versioned `container` dependency:
+    > If you are using Xcode, do **not** run `swift package edit`. Instead, temporarily modify `Package.swift` to replace the versioned `containerization` dependency:
     >
-    >    ```swift
-    >    .package(path: "../containerization"),
-    >    ```
+    > ```swift
+    > .package(url: "https://github.com/apple/containerization.git", exact: Version(stringLiteral: scVersion)),
+    > ```
+    >
+    > with the local path dependency:
+    >
+    > ```swift
+    > .package(path: "../containerization"),
+    > ```
+    >
+    > **Note:** If you have already run `swift package edit`, whether intentionally or by accident, follow the steps in the next section to restore the normal `containerization` dependency. Otherwise, the modified `Package.swift` file will not work, and the project may fail to build.
 
 5. If you want `container` to use any changes you made in the `vminit` subproject of Containerization, update the system property to use the locally built init filesystem image:
 
@@ -119,6 +127,42 @@ To revert to using the Containerization dependency from your `Package.swift`:
     bin/container system start
     ```
 
+## Debug XPC Helpers
+
+Attach debugger to the XPC helpers using their launchd service labels:
+
+1. Find launchd service labels:
+
+   ```console
+   % container system start
+   % container run -d --name test debian:bookworm sleep infinity
+   test
+   % launchctl list | grep container
+   27068   0       com.apple.container.container-network-vmnet.default
+   27072   0       com.apple.container.container-core-images
+   26980   0       com.apple.container.apiserver
+   27331   0       com.apple.container.container-runtime-linux.test
+   ```
+
+2. Stop container and start again after setting the environment variable `CONTAINER_DEBUG_LAUNCHD_LABEL` to the label of service to attach debugger. Services whose label starts with the `CONTAINER_DEBUG_LAUNCHD_LABEL` will wait the debugger:
+
+    ```console
+    % export CONTAINER_DEBUG_LAUNCHD_LABEL=com.apple.container.container-runtime-linux.test
+    % container system start # Only the service `com.apple.container.container-runtime-linux.test` waits debugger
+    ```
+
+    ```console
+    % export CONTAINER_DEBUG_LAUNCHD_LABEL=com.apple.container.container-runtime-linux
+    % container system start # Every service starting with `com.apple.container.container-runtime-linux` waits debugger
+    ```
+
+3. Run the command to launch the service, and attach debugger:
+
+    ```console
+    % container run -it --name test debian:bookworm
+    ⠧ [6/6] Starting container [0s] # It hangs as the service is waiting for debugger
+    ```
+
 ## Pre-commit hook
 
 Run `make pre-commit` to install a pre-commit hook that ensures that your changes have correct formatting and license headers when you run `git commit`.

Makefile

@@ -187,6 +187,7 @@ integration: init-block
 		$(SWIFT) test -c $(BUILD_CONFIGURATION) $(SWIFT_CONFIGURATION) --filter TestCLIRunCommand1 || exit_code=1 ; \
 		$(SWIFT) test -c $(BUILD_CONFIGURATION) $(SWIFT_CONFIGURATION) --filter TestCLIRunCommand2 || exit_code=1 ; \
 		$(SWIFT) test -c $(BUILD_CONFIGURATION) $(SWIFT_CONFIGURATION) --filter TestCLIRunCommand3 || exit_code=1 ; \
+		$(SWIFT) test -c $(BUILD_CONFIGURATION) $(SWIFT_CONFIGURATION) --filter TestCLIPruneCommand || exit_code=1 ; \
 		$(SWIFT) test -c $(BUILD_CONFIGURATION) $(SWIFT_CONFIGURATION) --filter TestCLIStatsCommand || exit_code=1 ; \
 		$(SWIFT) test -c $(BUILD_CONFIGURATION) $(SWIFT_CONFIGURATION) --filter TestCLIImagesCommand || exit_code=1 ; \
 		$(SWIFT) test -c $(BUILD_CONFIGURATION) $(SWIFT_CONFIGURATION) --filter TestCLIRunBase || exit_code=1 ; \

Package.resolved

@@ -24,7 +24,7 @@ import PackageDescription
 let releaseVersion = ProcessInfo.processInfo.environment["RELEASE_VERSION"] ?? "0.0.0"
 let gitCommit = ProcessInfo.processInfo.environment["GIT_COMMIT"] ?? "unspecified"
 let builderShimVersion = "0.7.0"
-let scVersion = "0.21.1"
+let scVersion = "0.24.5"
 
 let package = Package(
     name: "container",
@@ -44,6 +44,7 @@ let package = Package(
         .library(name: "ContainerVersion", targets: ["ContainerVersion"]),
         .library(name: "ContainerXPC", targets: ["ContainerXPC"]),
         .library(name: "SocketForwarder", targets: ["SocketForwarder"]),
+        .library(name: "TerminalProgress", targets: ["TerminalProgress"]),
     ],
     dependencies: [
         .package(url: "https://github.com/apple/swift-log.git", from: "1.0.0"),

Package.swift

@@ -25,6 +25,8 @@ import NIOHPACK
 import NIOHTTP2
 
 public struct Builder: Sendable {
+    public static let builderContainerId = "buildkit"
+
     let client: BuilderClientProtocol
     let clientAsync: BuilderClientAsyncProtocol
     let group: EventLoopGroup

Sources/ContainerBuild/Builder.swift

@@ -62,6 +62,7 @@ public struct Application: AsyncLoggableCommand {
                     ContainerStart.self,
                     ContainerStats.self,
                     ContainerStop.self,
+                    ContainerPrune.self,
                 ]
             ),
             CommandGroup(

Sources/ContainerCommands/Application.swift

@@ -125,6 +125,9 @@ extension Application {
         @OptionGroup
         public var logOptions: Flags.Logging
 
+        @OptionGroup
+        public var dns: Flags.DNS
+
         @Argument(help: "Build directory")
         var contextDir: String = "."
 
@@ -143,12 +146,13 @@ extension Application {
 
                 progress.set(description: "Dialing builder")
 
-                let builder: Builder? = try await withThrowingTaskGroup(of: Builder.self) { [vsockPort, cpus, memory] group in
+                let dnsNameservers = self.dns.nameservers
+                let builder: Builder? = try await withThrowingTaskGroup(of: Builder.self) { [vsockPort, cpus, memory, dnsNameservers] group in
                     defer {
                         group.cancelAll()
                     }
 
-                    group.addTask { [vsockPort, cpus, memory, log] in
+                    group.addTask { [vsockPort, cpus, memory, log, dnsNameservers] in
                         while true {
                             do {
                                 let container = try await ClientContainer.get(id: "buildkit")
@@ -170,6 +174,7 @@ extension Application {
                                     cpus: cpus,
                                     memory: memory,
                                     log: log,
+                                    dnsNameservers: dnsNameservers,
                                     progressUpdate: progress.handler
                                 )
 

Sources/ContainerCommands/BuildCommand.swift

@@ -45,6 +45,9 @@ extension Application {
         )
         var memory: String = "2048MB"
 
+        @OptionGroup
+        public var dns: Flags.DNS
+
         @OptionGroup
         public var logOptions: Flags.Logging
 
@@ -61,11 +64,29 @@ extension Application {
                 progress.finish()
             }
             progress.start()
-            try await Self.start(cpus: self.cpus, memory: self.memory, log: log, progressUpdate: progress.handler)
+            try await Self.start(
+                cpus: self.cpus,
+                memory: self.memory,
+                log: log,
+                dnsNameservers: self.dns.nameservers,
+                dnsDomain: self.dns.domain,
+                dnsSearchDomains: self.dns.searchDomains,
+                dnsOptions: self.dns.options,
+                progressUpdate: progress.handler
+            )
             progress.finish()
         }
 
-        static func start(cpus: Int64?, memory: String?, log: Logger, progressUpdate: @escaping ProgressUpdateHandler) async throws {
+        static func start(
+            cpus: Int64?,
+            memory: String?,
+            log: Logger,
+            dnsNameservers: [String] = [],
+            dnsDomain: String? = nil,
+            dnsSearchDomains: [String] = [],
+            dnsOptions: [String] = [],
+            progressUpdate: @escaping ProgressUpdateHandler
+        ) async throws {
             await progressUpdate([
                 .setDescription("Fetching BuildKit image"),
                 .setItemsName("blobs"),
@@ -103,6 +124,7 @@ extension Application {
                 let existingImage = existingContainer.configuration.image.reference
                 let existingResources = existingContainer.configuration.resources
                 let existingEnv = existingContainer.configuration.initProcess.environment
+                let existingDNS = existingContainer.configuration.dns
 
                 let existingManagedEnv = existingEnv.filter { envVar in
                     envVar.hasPrefix("BUILDKIT_COLORS=") || envVar.hasPrefix("NO_COLOR=")
@@ -129,11 +151,26 @@ extension Application {
                     }
                     return false
                 }()
+                let dnsChanged = {
+                    if !dnsNameservers.isEmpty {
+                        return existingDNS?.nameservers != dnsNameservers
+                    }
+                    if dnsDomain != nil {
+                        return existingDNS?.domain != dnsDomain
+                    }
+                    if !dnsSearchDomains.isEmpty {
+                        return existingDNS?.searchDomains != dnsSearchDomains
+                    }
+                    if !dnsOptions.isEmpty {
+                        return existingDNS?.options != dnsOptions
+                    }
+                    return false
+                }()
 
                 switch existingContainer.status {
                 case .running:
-                    guard imageChanged || cpuChanged || memChanged || envChanged else {
-                        // If image, mem and cpu are the same, continue using the existing builder
+                    guard imageChanged || cpuChanged || memChanged || envChanged || dnsChanged else {
+                        // If image, mem, cpu, env, and DNS are the same, continue using the existing builder
                         return
                     }
                     // If they changed, stop and delete the existing builder
@@ -142,7 +179,7 @@ extension Application {
                 case .stopped:
                     // If the builder is stopped and matches our requirements, start it
                     // Otherwise, delete it and create a new one
-                    guard imageChanged || cpuChanged || memChanged || envChanged else {
+                    guard imageChanged || cpuChanged || memChanged || envChanged || dnsChanged else {
                         try await existingContainer.startBuildKit(progressUpdate, nil)
                         return
                     }
@@ -164,8 +201,7 @@ extension Application {
                 useRosetta ? nil : "--enable-qemu",
             ].compactMap { $0 }
 
-            let id = "buildkit"
-            try ContainerAPIClient.Utility.validEntityName(id)
+            try ContainerAPIClient.Utility.validEntityName(Builder.builderContainerId)
 
             let image = try await ClientImage.fetch(
                 reference: builderImage,
@@ -207,8 +243,9 @@ extension Application {
                 memory: memory
             )
 
-            var config = ContainerConfiguration(id: id, image: imageDesc, process: processConfig)
+            var config = ContainerConfiguration(id: Builder.builderContainerId, image: imageDesc, process: processConfig)
             config.resources = resources
+            config.labels = [ResourceLabelKeys.role: ResourceRoleValues.builder]
             config.mounts = [
                 .init(
                     type: .tmpfs,
@@ -226,15 +263,24 @@ extension Application {
             // Enable Rosetta only if the user didn't ask to disable it
             config.rosetta = useRosetta
 
-            let network = try await ClientNetwork.get(id: ClientNetwork.defaultNetworkName)
-            guard case .running(_, let networkStatus) = network else {
+            guard let defaultNetwork = try await ClientNetwork.builtin else {
+                throw ContainerizationError(.invalidState, message: "default network is not present")
+            }
+            guard case .running(_, let networkStatus) = defaultNetwork else {
                 throw ContainerizationError(.invalidState, message: "default network is not running")
             }
-            config.networks = [AttachmentConfiguration(network: network.id, options: AttachmentOptions(hostname: id))]
+            config.networks = [
+                AttachmentConfiguration(network: defaultNetwork.id, options: AttachmentOptions(hostname: Builder.builderContainerId))
+            ]
             let subnet = networkStatus.ipv4Subnet
             let nameserver = IPv4Address(subnet.lower.value + 1).description
-            let nameservers = [nameserver]
-            config.dns = ContainerConfiguration.DNSConfiguration(nameservers: nameservers)
+            let nameservers = dnsNameservers.isEmpty ? [nameserver] : dnsNameservers
+            config.dns = ContainerConfiguration.DNSConfiguration(
+                nameservers: nameservers,
+                domain: dnsDomain,
+                searchDomains: dnsSearchDomains,
+                options: dnsOptions
+            )
 
             let kernel = try await {
                 await progressUpdate([