diff --git a/ci/Jenkinsfile b/ci/Jenkinsfile
index ad48a3f..c32aed6 100644
--- a/ci/Jenkinsfile
+++ b/ci/Jenkinsfile
@@ -47,11 +47,25 @@ pipeline {
 
         stage('Build') {
             steps {
-                sh 'make -C buildroot O="${PWD}"/_build BR2_EXTERNAL="${PWD}" pythonctnr_defconfig'
-                sh 'make -C _build'
+                sh '. ci/build.sh'
+            }
+        }
+
+        stage('Build Container') {
+            steps {
+                container('buildah') {
+                    sh '. ci/build-container.sh'
+                }
+            }
+        }
+
+        stage('Publish Container') {
+            steps {
+                container('buildah') {
+                    sh '. ci/publish-container.sh'
+                }
             }
         }
 
     }
-
 }
diff --git a/ci/build-container.sh b/ci/build-container.sh
new file mode 100644
index 0000000..a64d358
--- /dev/null
+++ b/ci/build-container.sh
@@ -0,0 +1,7 @@
+#!/bin/sh
+
+. ci/container-common.sh
+
+ctnr=$(buildah from scratch)
+buildah add ${ctnr} _build/images/rootfs.tar /
+buildah commit ${ctnr} pythonctnr:$(tag_name ${BUILD_TAG})
diff --git a/ci/build.sh b/ci/build.sh
new file mode 100644
index 0000000..6454316
--- /dev/null
+++ b/ci/build.sh
@@ -0,0 +1,5 @@
+#!/bin/sh
+# vim: set sw=4 ts=4 sts=4 et :
+
+make -C buildroot O="${PWD}"/_build BR2_EXTERNAL="${PWD}" pythonctnr_defconfig
+make -C _build
diff --git a/ci/container-common.sh b/ci/container-common.sh
new file mode 100644
index 0000000..f1dc6f2
--- /dev/null
+++ b/ci/container-common.sh
@@ -0,0 +1,5 @@
+# shellcheck: shell=sh
+
+tag_name() {
+    echo "$1" | sed -e 's/[^a-zA-Z0-9._-]/-/g' -e 's/^[.-]/_/'
+}
diff --git a/ci/podTemplate.yaml b/ci/podTemplate.yaml
index 002b5b8..6c05c0e 100644
--- a/ci/podTemplate.yaml
+++ b/ci/podTemplate.yaml
@@ -13,6 +13,13 @@ spec:
     securityContext:
       readOnlyRootFilesystem: true
       runAsUser: 1000
+  - name: buildah
+    image: quay.io/containers/buildah:v1
+    command:
+    - sleep
+    - infinity
+    securityContext:
+      privileged: true
   volumes:
   - name: tmp
     emptyDir:
diff --git a/ci/publish-container.sh b/ci/publish-container.sh
new file mode 100644
index 0000000..03bfbcf
--- /dev/null
+++ b/ci/publish-container.sh
@@ -0,0 +1,14 @@
+#!/bin/sh -ex
+
+. ci/container-common.sh
+
+push() {
+    tag=$(tag_name "$1")
+    buildah push pythonctnr:$(tag_name ${BUILD_TAG}) registry.pyrocufflink.blue/pythonctnr:${tag}
+}
+
+push ${BUILD_TAG}
+push ${BRANCH_NAME}
+if [ "${BRANCH_NAME}" = master ]; then
+    push latest
+fi