diff --git a/Dockerfile b/Dockerfile
index b59322c..71c3430 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,26 +1,50 @@
-FROM java:openjdk-7u65-jdk
+FROM java:8u45-jdk
 
 RUN apt-get update && apt-get install -y wget git curl zip && rm -rf /var/lib/apt/lists/*
 
-ENV JENKINS_VERSION 1.565.3
-RUN mkdir /usr/share/jenkins/
-RUN useradd -d /home/jenkins -m -s /bin/bash jenkins
-
-COPY init.groovy /tmp/WEB-INF/init.groovy.d/tcp-slave-angent-port.groovy
-RUN curl -L http://mirrors.jenkins-ci.org/war-stable/$JENKINS_VERSION/jenkins.war -o /usr/share/jenkins/jenkins.war \
-  && cd /tmp && zip -g /usr/share/jenkins/jenkins.war WEB-INF/init.groovy.d/tcp-slave-angent-port.groovy && rm -rf /tmp/WEB-INF
-
 ENV JENKINS_HOME /var/jenkins_home
-RUN usermod -m -d "$JENKINS_HOME" jenkins && chown -R jenkins "$JENKINS_HOME"
+
+# Jenkins is ran with user `jenkins`, uid = 1000
+# If you bind mount a volume from host/vloume from a data container, 
+# ensure you use same uid
+RUN useradd -d "$JENKINS_HOME" -u 1000 -m -s /bin/bash jenkins
+
+# Jenkins home directoy is a volume, so configuration and build history 
+# can be persisted and survive image upgrades
 VOLUME /var/jenkins_home
 
+# `/usr/share/jenkins/ref/` contains all reference configuration we want 
+# to set on a fresh new installation. Use it to bundle additional plugins 
+# or config file with your custom jenkins Docker image.
+RUN mkdir -p /usr/share/jenkins/ref/init.groovy.d
+
+
+COPY init.groovy /usr/share/jenkins/ref/init.groovy.d/tcp-slave-agent-port.groovy
+
+ENV JENKINS_VERSION 1.596.2
+ENV JENKINS_SHA 96ee85602a41d68c164fb54d4796be5d1d9cc5d0
+
+# could use ADD but this one does not check Last-Modified header 
+# see https://github.com/docker/docker/issues/8331
+RUN curl -fL http://mirrors.jenkins-ci.org/war-stable/$JENKINS_VERSION/jenkins.war -o /usr/share/jenkins/jenkins.war \
+  && echo "$JENKINS_SHA /usr/share/jenkins/jenkins.war" | sha1sum -c -
+
+ENV JENKINS_UC https://updates.jenkins-ci.org
+RUN chown -R jenkins "$JENKINS_HOME" /usr/share/jenkins/ref
+
 # for main web interface:
 EXPOSE 8080
 
 # will be used by attached slave agents:
 EXPOSE 50000
 
+ENV COPY_REFERENCE_FILE_LOG /var/log/copy_reference_file.log
+RUN touch $COPY_REFERENCE_FILE_LOG && chown jenkins.jenkins $COPY_REFERENCE_FILE_LOG
+
 USER jenkins
 
 COPY jenkins.sh /usr/local/bin/jenkins.sh
 ENTRYPOINT ["/usr/local/bin/jenkins.sh"]
+
+# from a derived Dockerfile, can use `RUN plugin.sh active.txt` to setup /usr/share/jenkins/ref/plugins from a support bundle
+COPY plugins.sh /usr/local/bin/plugins.sh
diff --git a/README.md b/README.md
index 0eabdbc..76d486b 100644
--- a/README.md
+++ b/README.md
@@ -23,7 +23,7 @@
 ```
 
 This will store the jenkins data in /your/home on the host.
-Ensure that /your/home is accessible by the jenkins user in container (jenkins user - uid 102 normally - or use -u root).
+Ensure that /your/home is accessible by the jenkins user in container (jenkins user - uid 1000).
 
 
 You can also use a volume container:
@@ -56,7 +56,7 @@
 variable for this purpose :
 
 ```
-docker run --name myjenkins -p 8080:8080 -env JAVA_OPTS=-Dhudson.footerURL=http://mycompany.com jenkins
+docker run --name myjenkins -p 8080:8080 --env JAVA_OPTS=-Dhudson.footerURL=http://mycompany.com jenkins
 ```
 
 # Passing Jenkins launcher parameters
@@ -86,23 +86,39 @@
 
 ```
 FROM jenkins
-USER root # if we want to install via apt
+# if we want to install via apt
+USER root
 RUN apt-get update && apt-get install -y ruby make more-thing-here
 USER jenkins # drop back to the regular jenkins user - good practice
 ```
 
 In such a derived image, you can customize your jenkins instance with hook scripts or additional plugins. 
-Those need to be packaged inside the executed jenkins.war, so use :
+For this purpose, use `/usr/share/jenkins/ref` as a place to define the default JENKINS_HOME content you
+wish the target installation to look like :
 
 ```
-RUN mkdir -p /tmp/WEB-INF/plugins
-RUN curl -L https://updates.jenkins-ci.org/latest/git.hpi -o /tmp/WEB-INF/plugins/git.hpi
-RUN curl -L https://updates.jenkins-ci.org/latest/git-client.hpi -o /tmp/WEB-INF/plugins/git-client.hpi
-RUN cd /tmp; zip --grow /usr/share/jenkins/jenkins.war WEB-INF/* 
+FROM jenkins
+COPY plugins.txt /usr/share/jenkins/ref/
+COPY custom.groovy /usr/share/jenkins/ref/init.groovy.d/custom.groovy
+RUN /usr/local/bin/plugins.sh /usr/share/jenkins/ref/plugins.txt
 ```
 
+When jenkins container starts, it will check JENKINS_HOME has this reference content, and copy them there if required. It will not override such files, so if you upgraded some plugins from UI they won't be reverted on next start.
+
 Also see [JENKINS-24986](https://issues.jenkins-ci.org/browse/JENKINS-24986)
 
+For your convenience, you also can use a plain text file to define plugins to be installed (using core-support plugin format)
+```
+pluginID:version
+anotherPluginID:version
+```
+And in derived Dockerfile just invoke the utility plugin.sh script
+```
+FROM jenkins
+COPY plugins.txt /usr/share/jenkins/plugins.txt
+RUN /usr/local/bin/plugins.sh /usr/share/jenkins/plugins.txt
+```
+
 
 # Upgrading
 
diff --git a/jenkins.sh b/jenkins.sh
index 31dc7e4..96db063 100755
--- a/jenkins.sh
+++ b/jenkins.sh
@@ -1,5 +1,28 @@
 #! /bin/bash
 
+set -e
+
+# Copy files from /usr/share/jenkins/ref into /var/jenkins_home
+# So the initial JENKINS-HOME is set with expected content. 
+# Don't override, as this is just a reference setup, and use from UI 
+# can then change this, upgrade plugins, etc.
+copy_reference_file() {
+	f=${1%/} 
+	echo "$f" >> $COPY_REFERENCE_FILE_LOG
+    rel=${f:23}
+    dir=$(dirname ${f})
+    echo " $f -> $rel" >> $COPY_REFERENCE_FILE_LOG
+	if [[ ! -e /var/jenkins_home/${rel} ]] 
+	then
+		echo "copy $rel to JENKINS_HOME" >> $COPY_REFERENCE_FILE_LOG
+		mkdir -p /var/jenkins_home/${dir:23}
+		cp -r /usr/share/jenkins/ref/${rel} /var/jenkins_home/${rel}; 
+	fi; 
+}
+export -f copy_reference_file
+echo "--- Copying files at $(date)" >> $COPY_REFERENCE_FILE_LOG
+find /usr/share/jenkins/ref/ -type f -exec bash -c 'copy_reference_file {}' \;
+
 # if `docker run` first argument start with `--` the user is passing jenkins launcher arguments
 if [[ $# -lt 1 ]] || [[ "$1" == "--"* ]]; then
    exec java $JAVA_OPTS -jar /usr/share/jenkins/jenkins.war $JENKINS_OPTS "$@"
diff --git a/plugins.sh b/plugins.sh
new file mode 100755
index 0000000..8fe2e97
--- /dev/null
+++ b/plugins.sh
@@ -0,0 +1,21 @@
+#! /bin/bash
+
+# Parse a support-core plugin -style txt file as specification for jenkins plugins to be installed
+# in the reference directory, so user can define a derived Docker image with just :
+#
+# FROM jenkins
+# COPY plugins.txt /plugins.txt
+# RUN /usr/local/bin/plugins.sh /plugins.txt
+#
+
+REF=/usr/share/jenkins/ref/plugins
+mkdir -p $REF
+
+while read spec; do
+    plugin=(${spec//:/ });
+    [[ ${plugin[0]} =~ ^# ]] && continue
+    [[ ${plugin[0]} =~ ^\s*$ ]] && continue
+    [[ -z ${plugin[1]} ]] && plugin[1]="latest"
+    echo "Downloading ${plugin[0]}:${plugin[1]}"
+    curl -s -L -f ${JENKINS_UC}/download/plugins/${plugin[0]}/${plugin[1]}/${plugin[0]}.hpi -o $REF/${plugin[0]}.hpi || echo "Failed to download ${plugin[0]}:${plugin[1]}"
+done  < $1