diff --git a/docker/keeper/Dockerfile.rockylinux b/docker/keeper/Dockerfile.rockylinux
new file mode 100644
index 000000000000..ca5ff3e4afd8
--- /dev/null
+++ b/docker/keeper/Dockerfile.rockylinux
@@ -0,0 +1,76 @@
+FROM docker.io/library/rockylinux:9.3
+
+ENV LANG=en_US.UTF-8 \
+    LANGUAGE=en_US:en \
+    LC_ALL=en_US.UTF-8 \
+    TZ=UTC \
+    CLICKHOUSE_CONFIG=/etc/clickhouse-server/config.xml
+
+COPY entrypoint.sh /entrypoint.sh
+
+# lts / testing / prestable / etc
+ARG REPO_CHANNEL="stable"
+ARG REPOSITORY="https://packages.clickhouse.com/tgz/${REPO_CHANNEL}"
+ARG VERSION="25.1.5.31"
+ARG PACKAGES="clickhouse-keeper"
+ARG DIRECT_DOWNLOAD_URLS=""
+
+# user/group precreated explicitly with fixed uid/gid on purpose.
+# It is especially important for rootless containers: in that case entrypoint
+# can't do chown and owners of mounted volumes should be configured externally.
+# We do that in advance at the begining of Dockerfile before any packages will be
+# installed to prevent picking those uid / gid by some unrelated software.
+# The same uid / gid (101) is used both for alpine and ubuntu.
+ARG DEFAULT_UID="101"
+ARG DEFAULT_GID="101"
+RUN groupadd -g "${DEFAULT_GID}" clickhouse && \
+    useradd -r -u "${DEFAULT_UID}" -g clickhouse -d "/var/lib/clickhouse" -s /bin/bash -c "ClickHouse keeper" clickhouse
+
+# Install required packages
+RUN dnf update -y && \
+    dnf install -y wget tar gzip ca-certificates tzdata bash shadow-utils && \
+    dnf clean all
+
+ARG TARGETARCH
+RUN arch=${TARGETARCH:-amd64} \
+    && cd /tmp && rm -f /tmp/*tgz && rm -f /tmp/*tgz.sha512 |: \
+    && if [ -n "${DIRECT_DOWNLOAD_URLS}" ]; then \
+        echo "installing from provided urls with tgz packages: ${DIRECT_DOWNLOAD_URLS}" \
+        && for url in $DIRECT_DOWNLOAD_URLS; do \
+            echo "Get ${url}" \
+            && wget -c -q "$url" \
+        ; done \
+    else \
+        for package in ${PACKAGES}; do \
+            cd /tmp \
+            && echo "Get ${REPOSITORY}/${package}-${VERSION}-${arch}.tgz" \
+            && wget -c -q "${REPOSITORY}/${package}-${VERSION}-${arch}.tgz" \
+            && wget -c -q "${REPOSITORY}/${package}-${VERSION}-${arch}.tgz.sha512" \
+        ; done \
+    fi \
+    && cat *.tgz.sha512 | sha512sum -c \
+    && for file in *.tgz; do \
+        if [ -f "$file" ]; then \
+            echo "Unpacking $file"; \
+            tar xvzf "$file" --strip-components=1 -C /; \
+        fi \
+    ; done \
+    && rm /tmp/*.tgz /install -r \
+    && chmod +x /entrypoint.sh \
+    && ln -sf /usr/share/zoneinfo/UTC /etc/localtime \
+    && echo "UTC" > /etc/timezone
+
+ARG DEFAULT_CONFIG_DIR="/etc/clickhouse-keeper"
+ARG DEFAULT_DATA_DIR="/var/lib/clickhouse-keeper"
+ARG DEFAULT_LOG_DIR="/var/log/clickhouse-keeper"
+RUN clickhouse-keeper --version \
+    && mkdir -p "${DEFAULT_DATA_DIR}" "${DEFAULT_LOG_DIR}" "${DEFAULT_CONFIG_DIR}" \
+    && chown clickhouse:clickhouse "${DEFAULT_DATA_DIR}" \
+    && chown root:clickhouse "${DEFAULT_LOG_DIR}" \
+    && chmod ugo+Xrw -R "${DEFAULT_DATA_DIR}" "${DEFAULT_LOG_DIR}" "${DEFAULT_CONFIG_DIR}"
+
+# /var/lib/clickhouse is necessary due to the current default configuration for Keeper
+VOLUME "${DEFAULT_DATA_DIR}" /var/lib/clickhouse
+EXPOSE 2181 10181 44444 9181
+
+ENTRYPOINT ["/entrypoint.sh"]