diff --git a/.github/workflows/build.yaml b/.github/workflows/build.yaml
index f54127f..d64eeed 100644
--- a/.github/workflows/build.yaml
+++ b/.github/workflows/build.yaml
@@ -288,3 +288,40 @@ jobs:
                   asset_path: ./alma/lx-alma-${{ matrix.RELEASE }}.tar.xz
                   asset_name: lx-alma-${{ matrix.RELEASE }}-${{ needs.prepare.outputs.tag }}.tar.xz
                   asset_content_type: application/x-xz
+    rocky:
+        needs: prepare
+        strategy:
+            matrix:
+                RELEASE:
+                    - 8
+                    - 9
+
+        name: Build RockyLinux ${{ matrix.RELEASE }}
+        runs-on: ubuntu-latest
+        steps:
+            - name: Checkout
+              uses: actions/checkout@v2
+
+            - name: Build Image
+              id: build_image
+              run: |
+                  set -xe
+                  cd rocky
+                  tar=lx-rocky-${{ matrix.RELEASE }}.tar
+                  tag=release:$$
+                  docker build --tag $tag --build-arg ROCKY_RELEASE=${{ matrix.RELEASE }} .
+                  container=$(docker create $tag)
+                  docker cp $container:. - > $tar
+                  docker rm $container
+                  docker rmi $tag
+                  xz $tar
+            - name: Upload Release Asset
+              id: upload_release_asset
+              uses: actions/upload-release-asset@v1
+              env:
+                  GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+              with:
+                  upload_url: ${{ needs.prepare.outputs.upload_url }}
+                  asset_path: ./rocky/lx-rocky-${{ matrix.RELEASE }}.tar.xz
+                  asset_name: lx-rocky-${{ matrix.RELEASE }}-${{ needs.prepare.outputs.tag }}.tar.xz
+                  asset_content_type: application/x-xz
diff --git a/rocky/Dockerfile b/rocky/Dockerfile
new file mode 100644
index 0000000..598636c
--- /dev/null
+++ b/rocky/Dockerfile
@@ -0,0 +1,5 @@
+ARG ROCKY_RELEASE
+FROM rockylinux:${ROCKY_RELEASE}
+COPY helpers /helpers
+ARG ROCKY_RELEASE=${ROCKY_RELEASE}
+RUN cd /helpers; sh build.sh; cd /; rm -rf helpers
diff --git a/rocky/helpers/build.sh b/rocky/helpers/build.sh
new file mode 100644
index 0000000..d5d3ea5
--- /dev/null
+++ b/rocky/helpers/build.sh
@@ -0,0 +1,64 @@
+#!/bin/sh
+set -ex
+echo Installing RockyLinux $ROCKY_RELEASE
+dnf update -y
+dnf install -y --allowerasing \
+    cronie \
+    systemd-sysv \
+    vim \
+    binutils \
+    dialog \
+    diffutils \
+    iputils \
+    openssh-server \
+    openssh-clients \
+    passwd \
+    procps-ng \
+    rsyslog \
+    sudo \
+    curl \
+    less \
+    man-db \
+    bind-utils \
+    net-tools
+
+
+# disable services we do not need
+systemctl mask systemd-remount-fs.service
+systemctl mask systemd-resolved fstrim.timer fstrim
+systemctl mask e2scrub_reap e2scrub_all e2scrub_all.timer
+
+# disable systemd features not present in lx (e.g. cgroup support)
+for S in \
+    systemd-hostnamed systemd-localed systemd-timedated systemd-logind \
+    systemd-initctl systemd-journald
+do
+    O=/etc/systemd/system/${S}.service.d
+    mkdir -p $O
+    cp override.conf ${O}/override.conf
+done
+
+# This service doesn't exist yet but systemd will happily create the /dev/null
+# mapping for it. It comes in with nfs-common and fails because lx doesn't know
+# about rpc_pipefs.  NFSv4 still seems to mount without this service and
+# lx_lockd is still started. Let's hide it from the user so they see don't see
+# unecessary failed services.
+systemctl mask run-rpc_pipefs.mount
+
+# lx hosts file
+cp hosts /etc/hosts.lx
+
+# make sure we get fresh ssh keys on first boot
+# note that rocky uses the sshd-keygen@.service to regenerate missing keys
+/bin/rm -f -v /etc/ssh/ssh_host_*_key*
+
+# hostfile fix
+cp create_hosts_file.service /etc/systemd/system
+systemctl enable create_hosts_file.service
+
+# remove .dockerenv file because lx is not a docker
+cp remove_dockerenv_file.service /etc/systemd/system
+systemctl enable remove_dockerenv_file.service
+
+# some smf helper folders
+mkdir -p /var/svc /var/db
diff --git a/rocky/helpers/create_hosts_file.service b/rocky/helpers/create_hosts_file.service
new file mode 100644
index 0000000..b762907
--- /dev/null
+++ b/rocky/helpers/create_hosts_file.service
@@ -0,0 +1,13 @@
+[Unit]
+Description=Create a Hostfile
+After=network.target auditd.service
+
+[Service]
+Type=oneshot
+ExecStart=/bin/mv /etc/hosts.lx /etc/hosts
+ExecStart=/bin/sed -i s/HOSTNAME/%H/g /etc/hosts
+ExecStartPost=/bin/systemctl disable create_hosts_file.service
+
+[Install]
+WantedBy=multi-user.target
+# last line
diff --git a/rocky/helpers/hosts b/rocky/helpers/hosts
new file mode 100644
index 0000000..81d4960
--- /dev/null
+++ b/rocky/helpers/hosts
@@ -0,0 +1,8 @@
+# host file
+127.0.0.1    localhost
+127.0.1.1    HOSTNAME
+# The following lines are desirable for IPv6 capable hosts
+::1     localhost ip6-localhost ip6-loopback
+ff02::1 ip6-allnodes
+ff02::2 ip6-allrouters
+# end
diff --git a/rocky/helpers/override.conf b/rocky/helpers/override.conf
new file mode 100644
index 0000000..e165be8
--- /dev/null
+++ b/rocky/helpers/override.conf
@@ -0,0 +1,7 @@
+[Service]
+PrivateTmp=no
+PrivateDevices=no
+PrivateNetwork=no
+ProtectSystem=no
+NoNewPrivileges=no
+ProtectHome=no
diff --git a/rocky/helpers/remove_dockerenv_file.service b/rocky/helpers/remove_dockerenv_file.service
new file mode 100644
index 0000000..24f5e7f
--- /dev/null
+++ b/rocky/helpers/remove_dockerenv_file.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=Remove dockerenv file
+After=network.target auditd.service
+
+[Service]
+Type=oneshot
+ExecStart=/bin/rm -f /.dockerenv
+ExecStartPost=/bin/systemctl disable remove_dockerenv_file.service
+
+[Install]
+WantedBy=multi-user.target
+# last line