--- a/taskcluster/ci/docker-image/kind.yml
+++ b/taskcluster/ci/docker-image/kind.yml
@@ -57,18 +57,28 @@ jobs:
     parent: debian7-base
     definition: debian7-build
     packages:
       - deb7-valgrind
     args:
       ARCH: i386
   lint:
     symbol: I(lnt)
+  debian9-base:
+    symbol: I(deb9-base)
+    definition: debian-base
+    args:
+      DIST: stretch
+      BASE_TAG: '20170620'
+      SNAPSHOT: '20170830T000511Z'
+    packages:
+      - deb9-mercurial
   android-build:
     symbol: I(agb)
+    parent: debian9-base
   index-task:
     symbol: I(idx)
   funsize-update-generator:
     symbol: I(pg)
   google-play-strings:
     symbol: I(gps)
   funsize-balrog-submitter:
     symbol: I(fbs)

--- a/taskcluster/docker/android-build/Dockerfile
+++ b/taskcluster/docker/android-build/Dockerfile
@@ -1,116 +1,51 @@
-FROM debian:stretch-20170620
+# %ARG DOCKER_IMAGE_PARENT
+FROM $DOCKER_IMAGE_PARENT
 MAINTAINER Nick Alexander <nalexander@mozilla.com>
 
-### Add worker user and setup its workspace.
-RUN mkdir -p /builds && \
-    groupadd -g 500 worker && \
-    useradd -u 500 -g 500 -d /builds/worker -s /bin/bash -m worker && \
-    chown -R worker:worker /builds && \
-    mkdir -p /builds/worker/workspace && \
-    chown -R worker:worker /builds/worker/workspace
-
-# Declare default working folder
-WORKDIR /builds/worker
-
 VOLUME /builds/worker/checkouts
 VOLUME /builds/worker/workspace
 VOLUME /builds/worker/tooltool-cache
 
-# Set variables normally configured at login, by the shell' parent process,
-# these are taken from GNU su manual.  Also set DEBIAN_FRONTEND to advise
-# apt-get of our situation.
-ENV HOME=/builds/worker \
-    SHELL=/bin/bash \
-    USER=worker \
-    LOGNAME=worker \
-    HOSTNAME=taskcluster-worker \
-    DEBIAN_FRONTEND=noninteractive
-
-# Set a default command useful for debugging.
-CMD ["/bin/bash", "--login"]
-
-# Set apt sources list to a snapshot.
-COPY sources.list /etc/apt/
-
-RUN ( echo 'quiet "true";'; \
-      echo 'APT::Get::Assume-Yes "true";'; \
-      echo 'APT::Install-Recommends "false";'; \
-      echo 'Acquire::Check-Valid-Until "false";'; \
-    ) > /etc/apt/apt.conf.d/99taskcluster
-
 # rsync is required for l10n single locale repacks.  less, screen, and
 # vim, help debugging interactive tasks in Task Cluster.
 # git and openssh-client are used to upload GeckoView javadoc to Github.
 RUN apt-get update && \
     apt-get install \
       autoconf2.13 \
       build-essential \
       base-files \
-      ca-certificates \
       ccache \
       cmake \
       curl \
       file \
-      git \
       gnupg \
       less \
-      make \
       openssh-client \
       procps \
-      python \
       python-cryptography \
-      python-dev \
       python-pip \
       python-setuptools \
       python-virtualenv \
       rsync \
       screen \
       sudo \
       tar \
       unzip \
       uuid \
       vim \
       wget \
-      xz-utils \
       yasm \
       zip
 
-# %include python/mozbuild/mozbuild/action/tooltool.py
-COPY topsrcdir/python/mozbuild/mozbuild/action/tooltool.py /setup/tooltool.py
-
-# %include testing/mozharness/external_tools/robustcheckout.py
-COPY topsrcdir/testing/mozharness/external_tools/robustcheckout.py /usr/local/mercurial/robustcheckout.py
-
-# %include taskcluster/docker/recipes/hgrc
-COPY topsrcdir/taskcluster/docker/recipes/hgrc /etc/mercurial/hgrc.d/mozilla.rc
-
-# %include taskcluster/docker/recipes/common.sh
-COPY topsrcdir/taskcluster/docker/recipes/common.sh /setup/common.sh
-
-# %include taskcluster/docker/recipes/install-mercurial.sh
-COPY topsrcdir/taskcluster/docker/recipes/install-mercurial.sh /setup/install-mercurial.sh
-
-# %include taskcluster/docker/recipes/debian-build-system-setup.sh
-COPY topsrcdir/taskcluster/docker/recipes/debian-build-system-setup.sh /setup/system-setup.sh
-
-RUN bash /setup/system-setup.sh
-
 # Add wrapper scripts for xvfb allowing tasks to easily retry starting up xvfb.
 # %include taskcluster/docker/recipes/xvfb.sh
 COPY topsrcdir/taskcluster/docker/recipes/xvfb.sh /builds/worker/scripts/xvfb.sh
 
-# %include taskcluster/docker/recipes/run-task
-COPY topsrcdir/taskcluster/docker/recipes/run-task /builds/worker/bin/run-task
-
-# Add pip configuration, among other things.
-# %include taskcluster/docker/recipes/dot-config
-COPY topsrcdir/taskcluster/docker/recipes/dot-config /builds/worker/.config
-
 # Stubbed out credentials; mozharness looks for this file an issues a WARNING
 # if it's not found, which causes the build to fail.  Note that this needs to
 # be in the parent of the workspace directory and in the directory where
 # mozharness is run (not its --work-dir).  See Bug 1169652.
 # %include taskcluster/docker/desktop-build/oauth.txt
 COPY topsrcdir/taskcluster/docker/desktop-build/oauth.txt /builds/worker/
 
 # Add a stubbed out buildprops, which keeps mozharness from choking.

deleted file mode 100644
--- a/taskcluster/docker/android-build/sources.list
+++ /dev/null
@@ -1,3 +0,0 @@
-deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/20170830T000511Z/ stretch main
-deb [check-valid-until=no] http://snapshot.debian.org/archive/debian/20170830T000511Z/ stretch-updates main
-deb [check-valid-until=no] http://snapshot.debian.org/archive/debian-security/20170830T000511Z/ stretch/updates main