diff --git a/Makefile b/Makefile
index 675a91aba7..c4934a7a9e 100644
--- a/Makefile
+++ b/Makefile
@@ -191,6 +191,7 @@ RETINA_TOOLS_IMAGE				= $(IMAGE_NAMESPACE)/retina-tools
 RETINA_IMAGE 					= $(IMAGE_NAMESPACE)/retina-agent
 RETINA_INIT_IMAGE				= $(IMAGE_NAMESPACE)/retina-init
 RETINA_OPERATOR_IMAGE			= $(IMAGE_NAMESPACE)/retina-operator
+RETINA_SHELL_IMAGE				= $(IMAGE_NAMESPACE)/retina-shell
 RETINA_INTEGRATION_TEST_IMAGE	= $(IMAGE_NAMESPACE)/retina-integration-test
 RETINA_PROTO_IMAGE				= $(IMAGE_NAMESPACE)/retina-proto-gen
 RETINA_GO_GEN_IMAGE				= $(IMAGE_NAMESPACE)/retina-go-gen
@@ -307,6 +308,18 @@ retina-operator-image:  ## build the retina linux operator image.
 			APP_INSIGHTS_ID=$(APP_INSIGHTS_ID) \
 			CONTEXT_DIR=$(REPO_ROOT)
 
+retina-shell-image:
+	echo "Building for $(PLATFORM)"
+	set -e ; \
+	$(MAKE) container-$(CONTAINER_BUILDER) \
+			PLATFORM=$(PLATFORM) \
+			DOCKERFILE=shell/Dockerfile \
+			REGISTRY=$(IMAGE_REGISTRY) \
+			IMAGE=$(RETINA_SHELL_IMAGE) \
+			VERSION=$(TAG) \
+			TAG=$(RETINA_PLATFORM_TAG) \
+			CONTEXT_DIR=$(REPO_ROOT)
+
 kapinger-image: 
 	docker buildx build --builder retina --platform windows/amd64 --target windows-amd64 -t $(IMAGE_REGISTRY)/$(KAPINGER_IMAGE):$(TAG)-windows-amd64  ./hack/tools/kapinger/ --push
 	docker buildx build --builder retina --platform linux/amd64 --target linux-amd64 -t $(IMAGE_REGISTRY)/$(KAPINGER_IMAGE):$(TAG)-linux-amd64  ./hack/tools/kapinger/ --push
@@ -347,12 +360,18 @@ manifest-operator-image: ## create a multiplatform manifest for the operator ima
 	$(eval FULL_IMAGE_NAME=$(IMAGE_REGISTRY)/$(RETINA_OPERATOR_IMAGE):$(TAG))
 	docker buildx imagetools create -t $(FULL_IMAGE_NAME) $(foreach platform,linux/amd64, $(FULL_IMAGE_NAME)-$(subst /,-,$(platform)))
 
+manifest-shell-image:
+	$(eval FULL_IMAGE_NAME=$(IMAGE_REGISTRY)/$(RETINA_SHELL_IMAGE):$(TAG))
+	docker buildx imagetools create -t $(FULL_IMAGE_NAME) $(foreach platform,linux/amd64 linux/arm64, $(FULL_IMAGE_NAME)-$(subst /,-,$(platform)))
+
 manifest:
 	echo "Building for $(COMPONENT)"
 	if [ "$(COMPONENT)" = "retina" ]; then \
 		$(MAKE) manifest-retina-image; \
 	elif [ "$(COMPONENT)" = "operator" ]; then \
 		$(MAKE) manifest-operator-image; \
+	elif [ "$(COMPONENT)" = "shell" ]; then \
+		$(MAKE) manifest-shell-image; \
 	fi
 
 ##@ Tests
diff --git a/shell/Dockerfile b/shell/Dockerfile
new file mode 100644
index 0000000000..84cde72a6d
--- /dev/null
+++ b/shell/Dockerfile
@@ -0,0 +1,31 @@
+# mcr.microsoft.com/azurelinux/base/core:3.0.20241005
+FROM mcr.microsoft.com/azurelinux/base/core@sha256:7ec490b605aac8a44aed0b0695b0ee6ae976ec898afd9ac8d5613d7f3ce2b07b
+
+# There are a two known issues with Azure Linux 3.0.20241005 that affect this image:
+# 1. `iptables-nft` binary is not yet installed, but will be fixed by https://github.com/microsoft/azurelinux/pull/10786
+#    Until then, use `nft` to view nftables rules.
+# 2. `nslookup` and `bind` print an error "Algorithm not supported by SCOSSL" (but still complete successfully).
+#    This will be fixed by https://github.com/microsoft/SymCrypt-OpenSSL/pull/92
+RUN tdnf install -y \
+	bind-utils \
+	bpftool \
+	bpftrace \
+	conntrack \
+	curl \
+	ebtables-legacy \
+	iperf3 \
+	iproute \
+	ipset \
+	iptables \
+	iputils \
+	ldns-utils \
+	net-tools \
+	nftables \
+	nmap \
+	openssh \
+	socat \
+	tcpdump \
+	wget \
+	&& tdnf clean all
+
+CMD ["/bin/bash"]