diff --git a/Dockerfile b/Dockerfile
new file mode 100644
index 0000000..9bbefb7
--- /dev/null
+++ b/Dockerfile
@@ -0,0 +1,23 @@
+ARG ALPINE_VERSION=3.16
+
+FROM alpine:${ALPINE_VERSION}
+
+ARG ALPINE_VERSION
+
+RUN cd /etc/apk/keys && \
+    wget "https://cdn.zero-downtime.net/alpine/stefan@zero-downtime.net-61bb6bfb.rsa.pub" && \
+    echo "@kubezero https://cdn.zero-downtime.net/alpine/v${ALPINE_VERSION}/kubezero" >> /etc/apk/repositories && \
+    apk upgrade -U -a --no-cache && \
+    apk --no-cache add \
+      ca-certificates \
+      docker-registry@kubezero
+
+USER docker-registry 
+
+VOLUME ["/var/lib/registry"]
+EXPOSE 5000
+
+COPY docker-entrypoint.sh /entrypoint.sh
+ENTRYPOINT ["/entrypoint.sh"]
+
+CMD ["/etc/docker-registry/config.yml"]
diff --git a/Makefile b/Makefile
new file mode 100644
index 0000000..d7a09a4
--- /dev/null
+++ b/Makefile
@@ -0,0 +1,5 @@
+REGISTRY := public.ecr.aws/zero-downtime
+IMAGE := docker-registry
+REGION := us-east-1
+
+include .ci/podman.mk
diff --git a/README.md b/README.md
index 1153470..8a3e4d2 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,10 @@
-# docker-registry
-Latest docker registry image incl. latest build
+# Abstract
+
+Docker registry image based on latest build of [main](https://github.com/distribution/distribution)
+
+## Changes to upstream
+- run as docker-registry rather than root inside the container
 
 # Resources
-- https://github.com/distribution/distribution/tree/6c237953cbbe9ae855e483c59d9085fb1c8aa01b
+- https://github.com/distribution/distribution
 - https://github.com/docker/distribution-library-image
diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
new file mode 100755
index 0000000..8efa9f8
--- /dev/null
+++ b/docker-entrypoint.sh
@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+case "$1" in
+    *.yaml|*.yml) set -- docker-registry serve "$@" ;;
+    serve|garbage-collect|help|-*) set -- docker-registry "$@" ;;
+esac
+
+exec "$@"