diff --git a/.golangci.yml b/.golangci.yml
index b4c2f1c2e..f6bb86b1c 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -18,6 +18,10 @@ linters:
 linters-settings:
   goimports:
     local-prefixes: github.com/NVIDIA/nvidia-container-toolkit
+  gosec:
+    excludes:
+    # TODO: Consider hardening security of command line invocations
+    - G204
 
 issues:
   exclude:
diff --git a/pkg/config/source.go b/pkg/config/source.go
index b07a2fd3b..4ef09771a 100644
--- a/pkg/config/source.go
+++ b/pkg/config/source.go
@@ -64,6 +64,18 @@ func FromFile(path string) Loader {
 	return tomlFile(path)
 }
 
+// FromCLI creates a TOML source from a CLI output.
+// If an empty slice is passed as input, an empty toml config is used.
+func FromCLI(command []string) Loader {
+	if len(command) == 0 {
+		return Empty
+	}
+	return &tomlFromCommandOutput{
+		command: command[0],
+		args:    command[1:],
+	}
+}
+
 // Load loads the contents of the specified TOML file as a map.
 func (f tomlFile) Load() (*Toml, error) {
 	info, err := os.Stat(string(f))
diff --git a/tools/container/containerd/containerd.go b/tools/container/containerd/containerd.go
index 84c3f7342..b880bd88d 100644
--- a/tools/container/containerd/containerd.go
+++ b/tools/container/containerd/containerd.go
@@ -188,9 +188,14 @@ func main() {
 // Setup updates a containerd configuration to include the nvidia-containerd-runtime and reloads it
 func Setup(c *cli.Context, o *options) error {
 	log.Infof("Starting 'setup' for %v", c.App.Name)
+	var cliArgs []string
+	if o.HostRootMount != "" {
+		cliArgs = append(cliArgs, "chroot", o.HostRootMount)
+	}
+	cliArgs = append(cliArgs, "containerd", "config", "dump")
 
 	cfg, err := containerd.New(
-		containerd.WithReference(config.FromFile(o.Config)),
+		containerd.WithReference(config.FromCLI(cliArgs)),
 		containerd.WithPath(o.Config),
 		containerd.WithRuntimeType(o.runtimeType),
 		containerd.WithUseLegacyConfig(o.useLegacyConfig),
diff --git a/tools/container/crio/crio.go b/tools/container/crio/crio.go
index 653998c7a..c7a57c97d 100644
--- a/tools/container/crio/crio.go
+++ b/tools/container/crio/crio.go
@@ -26,6 +26,7 @@ import (
 
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/config"
 	"github.com/NVIDIA/nvidia-container-toolkit/internal/info"
+	pkgconfig "github.com/NVIDIA/nvidia-container-toolkit/pkg/config"
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/config/engine/crio"
 	"github.com/NVIDIA/nvidia-container-toolkit/pkg/config/ocihook"
 	"github.com/NVIDIA/nvidia-container-toolkit/tools/container"
@@ -220,8 +221,15 @@ func setupHook(o *options) error {
 func setupConfig(o *options) error {
 	log.Infof("Updating config file")
 
+	var cliArgs []string
+	if o.HostRootMount != "" {
+		cliArgs = append(cliArgs, "chroot", o.HostRootMount)
+	}
+	cliArgs = append(cliArgs, "crio", "status", "config")
+
 	cfg, err := crio.New(
 		crio.WithPath(o.Config),
+		crio.WithReference(pkgconfig.FromCLI(cliArgs)),
 	)
 	if err != nil {
 		return fmt.Errorf("unable to load config: %v", err)