diff --git a/Dockerfile b/Dockerfile
index bea20404efd68ca40f8687bdfb1c1eecef80cf95..68ed1ceec187480ce56af025b69c9a92830d780b 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,6 +1,5 @@
 # We use a multistage build to avoid bloating our deployment image with build dependencies
 FROM golang:1.10.3-alpine3.8 as builder
-MAINTAINER Monax <support@monax.io>
 
 RUN apk add --no-cache --update git bash make
 
@@ -14,21 +13,35 @@ RUN make build
 # This will be our base container image
 FROM alpine:3.8
 
-ARG REPO=/go/src/github.com/hyperledger/burrow
-
+# Variable arguments to populate labels
+ARG VERSION
+ARG VCS_REF=master
+ARG BUILD_DATE
+
+# Fixed labels according to container label-schema
+LABEL org.label-schema.schema-version="1.0"
+LABEL org.label-schema.name = "Burrow"
+LABEL org.label-schema.vendor="Hyperledger Burrow Authors"
+LABEL org.label-schema.description="Hyperledger Burrow is a permissioned Ethereum smart-contract blockchain node."
+LABEL org.label-schema.license="Apache-2.0"
+LABEL org.label-schema.version=$VERSION
+LABEL org.label-schema.vcs-url="https://github.com/hyperledger/burrow"
+LABEL org.label-schema.vcs-ref=$VCS_REF
+LABEL org.label-schema.build-date=$BUILD_DATE
+
+# Run burrow as burrow user; not as root user
 ENV USER burrow
 ENV BURROW_PATH /home/$USER
 RUN addgroup -g 101 -S $USER && adduser -S -D -u 1000 $USER $USER
-WORKDIR $ BURROW_PATH
-USER $USER:$USER
+WORKDIR $BURROW_PATH
 
 # Copy binaries built in previous stage
-COPY --from=builder $REPO/bin/* /usr/local/bin/
-#RUN chown $USER:$USER /usr/local/bin/burrow*
+COPY --from=builder /go/src/github.com/hyperledger/burrow/bin/burrow /usr/local/bin/
 
-# Expose ports for 26656: tendermint-peer; 26658: info; 10997: GRPC
+# Expose ports for 26656:peer; 26658:info; 10997:grpc
 EXPOSE 26656
 EXPOSE 26658
 EXPOSE 10997
 
+USER $USER:$USER
 ENTRYPOINT [ "burrow" ]
diff --git a/scripts/build_tool.sh b/scripts/build_tool.sh
index 1f1d0aa57d70af37e559f55cde60e6e56fb21b08..4340f3a8bddcbf9a1c3a908da16d75ac0b6fce5d 100755
--- a/scripts/build_tool.sh
+++ b/scripts/build_tool.sh
@@ -20,6 +20,11 @@
 
 set -e
 
+script_dir="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
+
+# Grab date, commit, version
+. "$script_dir/local_version.sh" > /dev/null
+
 DOCKER_REPO=${DOCKER_REPO:-"hyperledger/burrow"}
 REPO=${REPO:-"$GOPATH/src/github.com/hyperledger/burrow"}
 
@@ -27,15 +32,19 @@ function log() {
     echo "$*" >> /dev/stderr
 }
 
-version=$("$REPO/scripts/local_version.sh")
-
 if [[ "$1" ]] ; then
     # If argument provided, use it as the version tag
     log "Overriding detected version $version and tagging image as $1"
     version="$1"
 fi
 
-docker build -t ${DOCKER_REPO}:${version} ${REPO}
+# Gives RFC 3339 with T instead of space
+date=$(date -Iseconds)
+
+docker build --build-arg VERSION=${version}\
+ --build-arg VCS_REF=${commit}\
+ --build-arg BUILD_DATE=${date}\
+ -t ${DOCKER_REPO}:${version} ${REPO}
 # Quick smoke test
 echo "Emitting version from docker image as smoke test..."
 docker run ${DOCKER_REPO}:${version} -v
diff --git a/scripts/local_version.sh b/scripts/local_version.sh
index 21f4fc2413e8f03f6788548a1a9436b95bd636b5..eb4d2d20c759074a6931b8732b7286f601246612 100755
--- a/scripts/local_version.sh
+++ b/scripts/local_version.sh
@@ -19,6 +19,10 @@ function log() {
     echo "$*" >> /dev/stderr
 }
 
+# Same as specified RFC3339 but contains the T
+date=$(date -Idate)
+commit=$(git rev-parse --short HEAD)
+
 if [[ ${tag} =~ ${VERSION_REGEX} ]] ; then
     # Only label a build as a release version when the commit is tagged
     log "Building release version (tagged $tag)..."
@@ -28,8 +32,6 @@ if [[ ${tag} =~ ${VERSION_REGEX} ]] ; then
         exit 1
     fi
 else
-    date=$(date +"%Y%m%d")
-    commit=$(git rev-parse --short HEAD)
     version="$version-dev-$date-$commit"
     log "Building non-release version $version..."
 fi
diff --git a/scripts/release.sh b/scripts/release.sh
index fda4ec69688b1795465eded40de81fbfdf366efc..3b7829826b0c27a30c26b58c5700043601361d74 100755
--- a/scripts/release.sh
+++ b/scripts/release.sh
@@ -8,7 +8,8 @@ function release {
     notes="NOTES.md"
     echo "Building and releasing $tag..."
     echo "Pushing docker image..."
-    docker login -u ${DOCKER_USER} -p ${DOCKER_PASS} && docker push ${DOCKER_REPO}
+    echo ${DOCKER_PASS} | docker login --username ${DOCKER_USER} ${DOCKER_REPO} --password-stdin
+
     echo "Building and pushing binaries"
     [[ -e "$notes" ]] && goreleaser --release-notes "$notes" || goreleaser
 }