diff --git a/Dockerfile b/Dockerfile
index 778921ef..aa5b3c37 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,53 +1,61 @@
+# This Dockerfile installs Sydent from source, which is assumed to be in the current
+# working directory. The resulting image contains a single "sydent" user, and populates
+# their home area with "src" and "venv" directories. The entrypoint runs Sydent,
+# listening on port 8090.
 #
-# Step 1: Build sydent and install dependencies
-#
-FROM docker.io/python:3.8-slim as builder
+# Users must provide a persistent volume available to the container as `/data`. This
+# will contain Sydent's configuration and database. A blank configuration and database
+# file is created the first time Sydent runs.
 
-# Install dev packages
-RUN apt-get update && apt-get install -y \
-    build-essential
+# Step 1: install dependencies
+FROM docker.io/python:3.8-slim as builder
 
 # Add user sydent
 RUN addgroup --system --gid 993 sydent \
-    && adduser --disabled-password --home /sydent --system --uid 993 --gecos sydent sydent \
-    && echo "sydent:$(dd if=/dev/random bs=32 count=1 | base64)" | chpasswd
+    && adduser --disabled-login --system --uid 993 --gecos sydent sydent
+USER sydent:sydent
+
+# Install poetry
+RUN pip install --user poetry==1.1.12
 
-# Copy resources
-COPY --chown=sydent:sydent ["res", "/sydent/res"]
-COPY --chown=sydent:sydent ["scripts", "/sydent/scripts"]
-COPY --chown=sydent:sydent ["sydent", "/sydent/sydent"]
-COPY --chown=sydent:sydent ["README.rst", "setup.cfg", "setup.py", "/sydent/"]
+# Copy source code and resources
+WORKDIR /home/sydent/src
+COPY --chown=sydent:sydent ["res", "res"]
+COPY --chown=sydent:sydent ["scripts", "scripts"]
+COPY --chown=sydent:sydent ["sydent", "sydent"]
+COPY --chown=sydent:sydent ["README.rst", "pyproject.toml", "poetry.lock", "./"]
 
 # Install dependencies
-USER sydent
-WORKDIR /sydent
-RUN pip install --user --upgrade pip setuptools sentry-sdk prometheus_client \
-    && pip install --user . \
-    && rm -rf /sydent/.cache \
-    && find /sydent -name '*.pyc' -delete
+RUN python -m poetry install --no-dev --no-interaction
 
-#
-# Step 2: Reduce image size and layers
-#
+# Record dependencies for posterity
+RUN python -m poetry export -o requirements.txt
+
+# Make the virtualenv accessible for the final image
+RUN ln -s $(python -m poetry env info -p) /home/sydent/venv
+
+# Nuke bytecode files to keep the final image slim.
+RUN find /home/sydent/venv -type f -name '*.pyc' -delete
 
+# Step 2: Create runtime image
 FROM docker.io/python:3.8-slim
 
 # Add user sydent and create /data directory
 RUN addgroup --system --gid 993 sydent \
-    && adduser --disabled-password --home /sydent --system --uid 993 --gecos sydent sydent \
-    && echo "sydent:$(dd if=/dev/random bs=32 count=1 | base64)" | chpasswd \
+    && adduser --disabled-login --home /sydent --system --uid 993 --gecos sydent sydent \
     && mkdir /data \
     && chown sydent:sydent /data
 
-# Copy sydent
-COPY --from=builder ["/sydent", "/sydent"]
+# Copy sydent and the virtualenv
+COPY --from=builder ["/home/sydent/src", "/home/sydent/src"]
+COPY --from=builder ["/home/sydent/venv", "/home/sydent/venv"]
 
 ENV SYDENT_CONF=/data/sydent.conf
 ENV SYDENT_PID_FILE=/data/sydent.pid
 ENV SYDENT_DB_PATH=/data/sydent.db
 
-WORKDIR /sydent
+WORKDIR /home/sydent
 USER sydent:sydent
 VOLUME ["/data"]
 EXPOSE 8090/tcp
-CMD [ "python", "-m", "sydent.sydent" ]
+CMD [ "venv/bin/python", "-m", "sydent.sydent" ]
diff --git a/README.rst b/README.rst
index 394b133a..3753f08c 100644
--- a/README.rst
+++ b/README.rst
@@ -80,13 +80,11 @@ Docker
 A Dockerfile is provided for sydent. To use it, run ``docker build -t sydent .`` in a sydent checkout.
 To run it, use ``docker run --env=SYDENT_SERVER_NAME=my-sydent-server -p 8090:8090 sydent``.
 
-Caution: All data will be lost when the container is terminated!
-
 Persistent data
 ---------------
 
-By default, all data is stored in ``/data``.
-The best method is to put the data in a Docker volume.
+By default, all data is stored in ``/data``. To persist this to disk, bind `/data` to a
+Docker volume.
 
 .. code-block:: shell
 
diff --git a/changelog.d/493.misc b/changelog.d/493.misc
new file mode 100644
index 00000000..b04987a7
--- /dev/null
+++ b/changelog.d/493.misc
@@ -0,0 +1 @@
+Update Dockerfile to use a fixed poetry environment, rather than `pip install`ing the latest dependencies.
\ No newline at end of file