diff --git a/CHANGELOG.md b/CHANGELOG.md
index 1204778dea..bb2048c1b0 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,11 @@ Canonical reference for changes, improvements, and bugfixes for Boundary.
 
 ## Next
 
+### New and Improved
+
+* mlock: Add a Docker entrypoint script and modify Dockerfiles to mimic Vault
+  ([PR](https://github.com/hashicorp/boundary/pull/1269))
+
 ## 0.2.3 (2021/05/21)
 
 ### Deprecations/Changes
diff --git a/docker/Dev.dockerfile b/docker/Dev.dockerfile
index f44593e964..633dafe9bc 100644
--- a/docker/Dev.dockerfile
+++ b/docker/Dev.dockerfile
@@ -12,6 +12,6 @@ RUN chown -R boundary:boundary /boundary/
 EXPOSE 9200 9201 9202
 VOLUME /boundary/
 
-USER boundary
-ENTRYPOINT ["/bin/boundary"]
+COPY ./docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["server", "-config", "/boundary/config.hcl"]
diff --git a/docker/Release.dockerfile b/docker/Release.dockerfile
index d4ed7127e5..80b96f5d29 100644
--- a/docker/Release.dockerfile
+++ b/docker/Release.dockerfile
@@ -41,6 +41,6 @@ RUN chown -R boundary:boundary /boundary/
 EXPOSE 9200 9201 9202
 VOLUME /boundary/
 
-USER boundary
-ENTRYPOINT ["/bin/boundary"]
+COPY ./docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["server", "-config", "/boundary/config.hcl"]
diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh
new file mode 100755
index 0000000000..994b1d809f
--- /dev/null
+++ b/docker/docker-entrypoint.sh
@@ -0,0 +1,49 @@
+#!/usr/bin/dumb-init /bin/sh
+set -e
+
+# Note above that we run dumb-init as PID 1 in order to reap zombie processes
+# as well as forward signals to all processes in its session. Normally, sh
+# wouldn't do either of these functions so we'd leak zombies as well as do
+# unclean termination of all our sub-processes.
+
+# Prevent core dumps
+ulimit -c 0
+
+# If the user is trying to run Boundary directly with some arguments, then
+# pass them to Boundary.
+if [ "${1:0:1}" = '-' ]; then
+    set -- boundary "$@"
+fi
+
+if [ "$1" = 'server' ]; then
+    shift
+    set -- boundary server \
+        "$@"
+fi
+
+# If we are running Boundary, make sure it executes as the proper user.
+if [ "$1" = 'boundary' ]; then
+    if [ -z "$SKIP_CHOWN" ]; then
+        # If the config dir is bind mounted then chown it
+        if [ "$(stat -c %u /boundary)" != "$(id -u boundary)" ]; then
+            chown -R boundary:boundary /boundary || echo "Could not chown /boundary (may not have appropriate permissions)"
+        fi
+    fi
+
+    if [ -z "$SKIP_SETCAP" ]; then
+        # Allow mlock to avoid swapping Boundary memory to disk
+        setcap cap_ipc_lock=+ep $(readlink -f $(which boundary))
+
+        # In the case Boundary has been started in a container without IPC_LOCK privileges
+        if ! boundary -version 1>/dev/null 2>/dev/null; then
+            >&2 echo "Couldn't start Boundary with IPC_LOCK. Disabling IPC_LOCK, please use --privileged or --cap-add IPC_LOCK"
+            setcap cap_ipc_lock=-ep $(readlink -f $(which boundary))
+        fi
+    fi
+
+    if [ "$(id -u)" = '0' ]; then
+      set -- su-exec boundary "$@"
+    fi
+fi
+
+exec "$@"