diff --git a/taskcluster/docker/image_builder/VERSION b/taskcluster/docker/image_builder/VERSION
new file mode 100644
index 000000000000..4a36342fcab7
--- /dev/null
+++ b/taskcluster/docker/image_builder/VERSION
@@ -0,0 +1 @@
+3.0.0
diff --git a/taskcluster/docs/docker-images.rst b/taskcluster/docs/docker-images.rst
index da2cd25a7274..8facce6afec4 100644
--- a/taskcluster/docs/docker-images.rst
+++ b/taskcluster/docs/docker-images.rst
@@ -94,8 +94,8 @@ for docker images that are pushed to a registry.
 Docker Registry Images (prebuilt)
 :::::::::::::::::::::::::::::::::
 
-***Warning: Use of prebuilt images should only be used for base images (those that other images
-will inherit from), or private images that must be stored in a private docker registry account.***
+***Warning: Registry images are only used for ``decision`` and
+``image_builder`` images.***
 
 These are images that are intended to be pushed to a docker registry and used
 by specifying the docker image name in task definitions.  They are generally
@@ -107,17 +107,16 @@ Example:
 
     image: taskcluster/decision:0.1.10@sha256:c5451ee6c655b3d97d4baa3b0e29a5115f23e0991d4f7f36d2a8f793076d6854
 
-Each image has a repo digest and a version. The repo digest is stored in the
-``HASH`` file in the image directory and used to refer to the image as above.
-The version is in ``VERSION``.
+Such images must always be referred to with both a version and a repo digest.
+For the decision image, the repo digest is stored in the ``HASH`` file in the
+image directory and used to refer to the image as above.  The version for both
+images is in ``VERSION``.
 
-The version file only serves to provide convenient names, such that old
-versions are easy to discover in the registry (and ensuring old versions aren't
-deleted by garbage-collection).
+The version file serves to help users identify which image is being used, and makes old
+versions easy to discover in the registry.
 
-Each image directory also has a ``REGISTRY``, defaulting to the ``REGISTRY`` in
-the ``taskcluster/docker`` directory, and specifying the image registry to
-which the completed image should be uploaded.
+The file ``taskcluster/docker/REGISTRY`` specifies the image registry to which
+the completed image should be uploaded.
 
 Docker Hashes and Digests
 .........................
@@ -164,13 +163,19 @@ Docker Registry Images
 
 Landing docker registry images takes a little more care.
 
-Once a new version of the image has been built and tested locally, push it to
-the docker registry and make note of the resulting repo digest.  Put this value
-in the ``HASH`` file, and update any references to the image in the code or
-task definitions.
+Begin by bumping the ``VERSION``.  Once the new version of the image has been
+built and tested locally, push it to the docker registry and make note of the
+resulting repo digest.  Put this value in the ``HASH`` file for the
+``decision`` image and in ``taskcluster/taskgraph/transforms/docker_image.py``
+for the ``image_builder`` image.
 
 The change is now safe to use in Try pushes.
 
+Note that ``image_builder`` change can be tested directly in try pushes without
+using a registry, as the in-registry ``image_builder`` image is used to build a
+task image which is then used to build other images.  It is referenced by hash
+in ``taskcluster/taskgraph/transforms/docker_image.py``.
+
 Special Dockerfile Syntax
 -------------------------
 
diff --git a/taskcluster/taskgraph/transforms/docker_image.py b/taskcluster/taskgraph/transforms/docker_image.py
index 3dd02d32f211..a003e9bcb496 100644
--- a/taskcluster/taskgraph/transforms/docker_image.py
+++ b/taskcluster/taskgraph/transforms/docker_image.py
@@ -186,11 +186,12 @@ def fill_template(config, tasks):
 
         # We use the in-tree image_builder image to build docker images, but
         # that can't be used to build the image_builder image itself,
-        # obviously. So we fall back to the last snapshot of the image that
-        # was uploaded to docker hub.
+        # obviously. So we fall back to an image on docker hub, identified
+        # by hash.  After the image-builder image is updated, it's best to push
+        # and update this hash as well, to keep image-builder builds up to date.
         if image_name == 'image_builder':
-            worker['docker-image'] = 'taskcluster/image_builder@sha256:' + \
-                '24ce54a1602453bc93515aecd9d4ad25a22115fbc4b209ddb5541377e9a37315'
+            hash = 'sha256:c6622fd3e5794842ad83d129850330b26e6ba671e39c58ee288a616a3a1c4c73'
+            worker['docker-image'] = 'taskcluster/image_builder@' + hash
             # Keep in sync with the Dockerfile used to generate the
             # docker image whose digest is referenced above.
             worker['volumes'] = [
diff --git a/taskcluster/taskgraph/util/docker.py b/taskcluster/taskgraph/util/docker.py
index 541e03ba7300..4357fd47c035 100644
--- a/taskcluster/taskgraph/util/docker.py
+++ b/taskcluster/taskgraph/util/docker.py
@@ -103,6 +103,8 @@ def post_to_docker(tar, api_path, **kwargs):
                 sys.stderr.write('{}\n'.format(data['status']))
         elif 'stream' in data:
             sys.stderr.write(data['stream'])
+        elif 'aux' in data:
+            sys.stderr.write(repr(data['aux']))
         elif 'error' in data:
             sys.stderr.write('{}\n'.format(data['error']))
             # Sadly, docker doesn't give more than a plain string for errors,