diff --git a/.circleci/config.yml b/.circleci/config.yml
index 9bf41ce31..e754ad66b 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -1,25 +1,28 @@
 references:
   envoy-build-image: &envoy-build-image
-    envoyproxy/envoy-build:latest
+    envoyproxy/envoy-build-ubuntu:41c5a05d708972d703661b702a63ef5060125c33
 
 version: 2
 jobs:
   build:
     docker:
-      - image: *envoy-build-image
+    - image: *envoy-build-image
+    - entrypoint: ./ci/in_docker.sh
+    - environment:
+        HOST_UID: $UID
     resource_class: xlarge
     steps:
-      - checkout
-      - run: git submodule update --init
-      - run: ./ci/do_ci.sh build
+    - checkout
+    - run: git submodule update --init
+    - run: ./ci/do_ci.sh build
   test:
     docker:
-      - image: *envoy-build-image
+    - image: *envoy-build-image
     resource_class: xlarge
     steps:
-      - checkout
-      - run: git submodule update --init
-      - run: ./ci/do_ci.sh test
+    - checkout
+    - run: git submodule update --init
+    - run: ./ci/do_ci.sh test
 
 workflows:
   version: 2
@@ -27,4 +30,3 @@ workflows:
     jobs:
       - build
       - test
-
diff --git a/ci/in_docker.sh b/ci/in_docker.sh
new file mode 100755
index 000000000..c95ae2c72
--- /dev/null
+++ b/ci/in_docker.sh
@@ -0,0 +1,23 @@
+#!/bin/bash -eu
+
+set -o pipefail
+
+apt-get -qq update -y
+apt-get -qq install --no-install-recommends gosu
+
+USER_UID="$HOST_UID"
+USER_GID="${HOST_GID:-${HOST_UID}}"
+
+DOCKER_GROUP_ARGS+=(--gid "${USER_GID}")
+DOCKER_USER_ARGS+=(--gid "${USER_GID}")
+
+groupadd ${DOCKER_GROUP_ARGS[*]} -f envoygroup
+useradd -o --uid ${USER_UID} ${DOCKER_USER_ARGS[*]} --no-create-home --home-dir /build envoybuild
+usermod -a -G pcap envoybuild
+chown envoybuild:envoygroup /build
+chown envoybuild /proc/self/fd/2
+sudo -EHs -u envoybuild bash -c 'cd /source $*'
+
+cd /source
+
+gosu envoybuild "$@"