diff --git a/containers/agent/Dockerfile b/containers/agent/Dockerfile
index 75e49c84..5e1fd866 100644
--- a/containers/agent/Dockerfile
+++ b/containers/agent/Dockerfile
@@ -9,19 +9,15 @@ FROM ${BASE_IMAGE}
 
 # Install required packages and Node.js 22
 # Note: Some packages may already exist in runner-like base images, apt handles this gracefully
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-    iptables \
-    curl \
-    ca-certificates \
-    git \
-    gh \
-    gnupg \
-    dnsutils \
-    net-tools \
-    netcat-openbsd \
-    gosu \
-    libcap2-bin && \
+# Retry logic handles transient 404s when Ubuntu archive supersedes package versions mid-build
+RUN set -eux; \
+    PKGS="iptables curl ca-certificates git gh gnupg dnsutils net-tools netcat-openbsd gosu libcap2-bin"; \
+    apt-get update && \
+    ( apt-get install -y --no-install-recommends $PKGS || \
+      (echo "apt-get install failed, retrying with fresh package index..." && \
+       rm -rf /var/lib/apt/lists/* && \
+       apt-get update && \
+       apt-get install -y --no-install-recommends $PKGS) ) && \
     # Prefer system binaries over runner toolcache (e.g., act images) for Node checks.
     export PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$PATH" && \
     # Install Node.js 22 from NodeSource
@@ -69,11 +65,15 @@ RUN chmod +x /usr/local/bin/setup-iptables.sh /usr/local/bin/entrypoint.sh /usr/
 # Build one-shot-token LD_PRELOAD library for single-use token access
 # This prevents tokens from being read multiple times (e.g., by malicious code)
 COPY one-shot-token/one-shot-token.c /tmp/one-shot-token.c
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends gcc libc6-dev && \
+RUN set -eux; \
+    BUILD_PKGS="gcc libc6-dev"; \
+    apt-get update && \
+    ( apt-get install -y --no-install-recommends $BUILD_PKGS || \
+      (rm -rf /var/lib/apt/lists/* && apt-get update && \
+       apt-get install -y --no-install-recommends $BUILD_PKGS) ) && \
     gcc -shared -fPIC -O2 -Wall -o /usr/local/lib/one-shot-token.so /tmp/one-shot-token.c -ldl -lpthread && \
     rm /tmp/one-shot-token.c && \
-    apt-get remove -y gcc libc6-dev && \
+    apt-get remove -y $BUILD_PKGS && \
     apt-get autoremove -y && \
     rm -rf /var/lib/apt/lists/*
 
diff --git a/containers/squid/Dockerfile b/containers/squid/Dockerfile
index 629fd602..3df7040f 100644
--- a/containers/squid/Dockerfile
+++ b/containers/squid/Dockerfile
@@ -1,14 +1,13 @@
 FROM ubuntu/squid:latest
 
 # Install additional tools for debugging, healthcheck, and SSL Bump
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-    curl \
-    dnsutils \
-    net-tools \
-    netcat-openbsd \
-    openssl \
-    squid-openssl && \
+# Retry logic handles transient 404s when Ubuntu archive supersedes package versions mid-build
+RUN set -eux; \
+    PKGS="curl dnsutils net-tools netcat-openbsd openssl squid-openssl"; \
+    apt-get update && \
+    ( apt-get install -y --no-install-recommends $PKGS || \
+      (rm -rf /var/lib/apt/lists/* && apt-get update && \
+       apt-get install -y --no-install-recommends $PKGS) ) && \
     rm -rf /var/lib/apt/lists/*
 
 # Create log directory and SSL database directory