diff --git a/.github/workflows/dockerhub.yml b/.github/workflows/dockerhub.yml
index eef80b4..ab7ef16 100644
--- a/.github/workflows/dockerhub.yml
+++ b/.github/workflows/dockerhub.yml
@@ -1,6 +1,8 @@
 name: dockerhub publish
 
 on:
+  release:
+    types: published
   repository_dispatch:
     types: dockerhub
 
@@ -26,7 +28,7 @@ jobs:
         uses: docker/build-push-action@v2
         with:
           push: true
-          file: docker/Dockerfile.debian10
+          file: docker/Dockerfile.sandbox
           tags: ovhcom/the-bastion:sandbox-latest
       -
         name: Image digest
diff --git a/docker/Dockerfile.sandbox b/docker/Dockerfile.sandbox
new file mode 100644
index 0000000..d664a1b
--- /dev/null
+++ b/docker/Dockerfile.sandbox
@@ -0,0 +1,31 @@
+FROM debian:buster
+LABEL maintainer="stephane.lesimple+bastion@ovhcloud.com"
+
+# first, copy everything we need
+COPY . /opt/bastion
+
+# then do a big RUN to squash layers (--squash is still experimental, we can't use it yet)
+
+RUN \
+    # ensure the OS is up to date
+    apt update -y && DEBIAN_FRONTEND=noninteractive apt-get dist-upgrade -y && \
+    # install packages (-i), including dev ones (-d) and syslog-ng (-s) \
+    /opt/bastion/bin/admin/packages-check.sh -i -d -s && \
+    # download and install the ttyrec deb package (-d) \
+    /opt/bastion/bin/admin/install-ttyrec.sh -d && \
+    # cleanup packages cache to save space \
+    rm -rf /var/cache/apt && \
+    # handle locales \
+    echo "en_US.UTF-8 UTF-8" >> /etc/locale.gen && locale-gen && \
+    # disable /dev/kmsg handling by syslog-ng and explicitely enable /dev/log \
+    sed -i -re 's=system\(\);=unix-stream("/dev/log");=' /etc/syslog-ng/syslog-ng.conf && \
+    # accountUidMax & ttyrecGroupIdOffset change: fixes https://github.com/ovh/the-bastion/issues/24 \
+    sed -i -re 's/^"accountUidMax":.+/"accountUidMax": 9999,/;s/^"ttyrecGroupIdOffset":.+/"ttyrecGroupIdOffset": 10000,/' /opt/bastion/etc/bastion/bastion.conf.dist && \
+    # install the software \
+    /opt/bastion/bin/admin/install --new-install --no-wait
+
+# We'll expose our port 22
+EXPOSE 22/tcp
+
+# start at entrypoint
+ENTRYPOINT /opt/bastion/docker/entrypoint.sh --sandbox
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index 01e4d04..3a4b734 100755
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -8,6 +8,9 @@ else
     test -x /etc/rc.d/sshd && /etc/rc.d/sshd onestart
 fi
 
+if [ "$1" = "--sandbox" ]; then
+    "The Bastion sandbox container is running, you can now connect to its port 22 (probably remapped to another port on the host)"
+fi
 while : ; do
     sleep 3600
 done