diff --git a/dogfood/coder/ubuntu-26.04/Dockerfile b/dogfood/coder/ubuntu-26.04/Dockerfile
index e0f7ee2fca..118ac2fd28 100644
--- a/dogfood/coder/ubuntu-26.04/Dockerfile
+++ b/dogfood/coder/ubuntu-26.04/Dockerfile
@@ -183,6 +183,15 @@ RUN sed -i 's|http://archive.ubuntu.com/ubuntu/|http://mirrors.edge.kernel.org/u
 	zip \
 	zsh \
 	zstd && \
+	# Keep Docker's engine, CLI, runtime, and plugins on the versions selected by
+	# the apt pins copied above. Future apt operations in this image should not
+	# upgrade Docker 27 or containerd.io 1.7.23 out from under sysbox / DinD.
+	apt-mark hold \
+		containerd.io \
+		docker-buildx-plugin \
+		docker-ce \
+		docker-ce-cli \
+		docker-compose-plugin && \
 	# Delete package cache to avoid consuming space in layer
 	apt-get clean && \
 	# Configure FIPS-compliant policies
diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/containerd b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/containerd
deleted file mode 100644
index ab0b8f9891..0000000000
--- a/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/containerd
+++ /dev/null
@@ -1,6 +0,0 @@
-# Ref: https://github.com/nestybox/sysbox/issues/879
-# We need to pin containerd to a specific version to avoid breaking
-# Docker-in-Docker.
-Package: containerd.io
-Pin: version 1.7.23-1
-Pin-Priority: 1001
diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/docker b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/docker
index 8bf06ea2ee..952be1030e 100644
--- a/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/docker
+++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/preferences.d/docker
@@ -1,23 +1,35 @@
-# Ignore all packages from this repository by default
+# Ignore all packages from this repository by default.
 Package: *
 Pin: origin download.docker.com
 Pin-Priority: 1
 
-# Docker Community Edition
-# We need to pin docker-ce to a specific version because containerd is pinned
-# to an older version. Newer major versions of docker-ce require a version of
-# containerd.io greater than our pinned version.
+# Docker Community Edition.
+# We need to pin docker-ce to Docker 27 because containerd is pinned to an
+# older version for sysbox / Docker-in-Docker compatibility. Docker 28 and newer
+# require containerd.io >= 1.7.27, but sysbox currently needs 1.7.23.
 Package: docker-ce
-Pin: origin download.docker.com
-Pin: version 5:29.*
-Pin-Priority: 500
+Pin: version 5:27.*
+Pin-Priority: 1001
 
-# Docker command-line tool
+# Docker command-line tool.
+# Keep the CLI on the same major line as the engine. docker-ce only depends on
+# docker-ce-cli without an exact version constraint, so leaving this unpinned can
+# cause apt to pair a Docker 27 engine with a newer CLI.
 Package: docker-ce-cli
-Pin: origin download.docker.com
-Pin-Priority: 500
+Pin: version 5:27.*
+Pin-Priority: 1001
 
-# containerd runtime
+# containerd runtime.
+# Ref: https://github.com/nestybox/sysbox/issues/879
+# We need to pin containerd to this specific version to avoid breaking
+# Docker-in-Docker. Keep this pin in the Docker preferences file so the Docker
+# engine and runtime constraints are maintained together.
 Package: containerd.io
+Pin: version 1.7.23-1
+Pin-Priority: 1001
+
+# Allow Docker plugins from Docker's repository, but keep the repository ignored
+# globally so unpinned Docker packages do not unexpectedly upgrade.
+Package: docker-buildx-plugin docker-compose-plugin
 Pin: origin download.docker.com
 Pin-Priority: 500
diff --git a/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/docker.list b/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/docker.list
index 76fa2962d1..d58738a0f7 100644
--- a/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/docker.list
+++ b/dogfood/coder/ubuntu-26.04/files/etc/apt/sources.list.d/docker.list
@@ -1 +1,6 @@
-deb [signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu resolute stable
+# Intentionally use Docker's Ubuntu 22.04 (jammy) repository on this Ubuntu
+# 26.04 image. Docker's resolute repo no longer carries the Docker 27 packages
+# we need, and Docker 28+ requires containerd.io >= 1.7.27. We pin
+# containerd.io to 1.7.23 for sysbox / Docker-in-Docker compatibility, so the
+# older jammy repo is required until that constraint is removed.
+deb [signed-by=/usr/share/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu jammy stable