diff --git a/Dockerfile b/Dockerfile
index fc4beb6e03..87eed4ea89 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,7 +6,7 @@ ARG DEBIAN_FRONTEND=noninteractive
 ARG VPNKIT_DIGEST=e508a17cfacc8fd39261d5b4e397df2b953690da577e2c987a47630cd0c42f8e
 ARG DOCKER_BUILDTAGS="apparmor seccomp selinux"
 
-FROM golang:${GO_VERSION}-stretch AS base
+FROM golang:${GO_VERSION}-buster AS base
 RUN echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 ARG APT_MIRROR
 RUN sed -ri "s/(httpredir|deb).debian.org/${APT_MIRROR:-deb.debian.org}/g" /etc/apt/sources.list \
@@ -113,9 +113,9 @@ RUN --mount=type=cache,sharing=locked,id=moby-cross-false-aptlib,target=/var/lib
     --mount=type=cache,sharing=locked,id=moby-cross-false-aptcache,target=/var/cache/apt \
         apt-get update && apt-get install -y --no-install-recommends \
             binutils-mingw-w64 \
-            btrfs-tools \
             g++-mingw-w64-x86-64 \
             libapparmor-dev \
+            libbtrfs-dev \
             libdevmapper-dev \
             libseccomp-dev \
             libsystemd-dev \
@@ -163,7 +163,7 @@ ARG CONTAINERD_COMMIT
 RUN --mount=type=cache,sharing=locked,id=moby-containerd-aptlib,target=/var/lib/apt \
     --mount=type=cache,sharing=locked,id=moby-containerd-aptcache,target=/var/cache/apt \
         apt-get update && apt-get install -y --no-install-recommends \
-            btrfs-tools
+            libbtrfs-dev
 ENV INSTALL_BINARY_NAME=containerd
 COPY hack/dockerfile/install/install.sh ./install.sh
 COPY hack/dockerfile/install/$INSTALL_BINARY_NAME.installer ./
@@ -284,6 +284,11 @@ RUN --mount=type=cache,sharing=locked,id=moby-dev-aptlib,target=/var/lib/apt \
             zip
 
 
+# Switch to use iptables instead of nftables (to match the host machine)
+RUN update-alternatives --set iptables  /usr/sbin/iptables-legacy  || true \
+ && update-alternatives --set ip6tables /usr/sbin/ip6tables-legacy || true \
+ && update-alternatives --set arptables /usr/sbin/arptables-legacy || true
+
 RUN pip3 install yamllint==1.16.0
 
 COPY --from=dockercli     /build/ /usr/local/cli
diff --git a/hack/make/.integration-daemon-stop b/hack/make/.integration-daemon-stop
index 4f7c8acb8e..82d9c3f242 100644
--- a/hack/make/.integration-daemon-stop
+++ b/hack/make/.integration-daemon-stop
@@ -21,7 +21,7 @@ if [ ! "$(go env GOOS)" = 'windows' ]; then
 		if [ -e "/sys/module/apparmor/parameters/enabled" ] && [ "$(cat /sys/module/apparmor/parameters/enabled)" == "Y" ]; then
 			(
 				[ -n "$TESTDEBUG" ] && set -x
-				/etc/init.d/apparmor stop
+				/etc/init.d/apparmor stop || true
 			)
 		fi
 	fi
diff --git a/hack/make/containerutility b/hack/make/containerutility
index 8aefc00ff0..7dcf5ea02b 100644
--- a/hack/make/containerutility
+++ b/hack/make/containerutility
@@ -8,6 +8,13 @@ CONTAINER_UTILITY_COMMIT=e004a1415a433447369e315b9d7df357102be0d2 # v0.9.0
 	cd "$GOPATH/src/github.com/docker/windows-container-utility"
 	git checkout -q "$CONTAINER_UTILITY_COMMIT"
 
+	# TODO remove this temporary fix once https://github.com/docker/windows-container-utility/pull/2 is merged
+	sed -i \
+		-e 's|-nostdinc ||g' \
+		-e 's|-I/usr/lib/gcc/x86_64-w64-mingw32/6.3-win32/include ||g' \
+		-e 's|-I/usr/x86_64-w64-mingw32/include ||g' \
+		"$GOPATH/src/github.com/docker/windows-container-utility/Makefile"
+
 	echo Building: ${DEST}/containerutility.exe
 
 	(