diff --git a/Jenkinsfile b/Jenkinsfile
index d551e9cc7a..6e05c556fc 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -5,6 +5,7 @@ def branch = env.CHANGE_TARGET ?: env.BRANCH_NAME
 def pkgs = [
     [target: "centos-7",                 image: "centos:7",                               arches: ["amd64", "aarch64"]],          // (EOL: June 30, 2024)
     [target: "centos-8",                 image: "quay.io/centos/centos:stream8",          arches: ["amd64", "aarch64"]],
+    [target: "centos-9",                 image: "quay.io/centos/centos:stream9",          arches: ["amd64", "aarch64"]],
     [target: "debian-buster",            image: "debian:buster",                          arches: ["amd64", "aarch64", "armhf"]], // Debian 10 (EOL: 2024)
     [target: "debian-bullseye",          image: "debian:bullseye",                        arches: ["amd64", "aarch64", "armhf"]], // Debian 11 (Next stable)
     [target: "fedora-34",                image: "fedora:34",                              arches: ["amd64", "aarch64"]],          // EOL: May 17, 2022
diff --git a/rpm/Makefile b/rpm/Makefile
index 84306f1824..9e89d11631 100644
--- a/rpm/Makefile
+++ b/rpm/Makefile
@@ -55,7 +55,7 @@ RUN?=docker run --rm \
 	rpmbuild-$@/$(ARCH) $(RPMBUILD_FLAGS)
 
 FEDORA_RELEASES ?= fedora-36 fedora-35 fedora-34
-CENTOS_RELEASES ?= centos-7 centos-8
+CENTOS_RELEASES ?= centos-7 centos-8 centos-9
 ifeq ($(ARCH),s390x)
 RHEL_RELEASES ?= rhel-7
 else
@@ -81,8 +81,8 @@ rpm: fedora centos ## build all rpm packages
 .PHONY: fedora
 fedora: $(FEDORA_RELEASES) ## build all fedora rpm packages
 
-.PHONY: centos-8
-centos-8: RPMBUILD_EXTRA_FLAGS=--define '_without_btrfs 1'
+.PHONY: centos-8 centos-9
+centos-8 centos-9: RPMBUILD_EXTRA_FLAGS=--define '_without_btrfs 1'
 
 .PHONY: centos
 centos: $(CENTOS_RELEASES) ## build all centos rpm packages
diff --git a/rpm/SPECS/docker-ce.spec b/rpm/SPECS/docker-ce.spec
index bdb6817ab9..f7591f692e 100644
--- a/rpm/SPECS/docker-ce.spec
+++ b/rpm/SPECS/docker-ce.spec
@@ -1,7 +1,9 @@
 %global debug_package %{nil}
 
 # BTRFS is enabled by default, but can be disabled by defining _without_btrfs
-%{!?_with_btrfs: %{!?_without_btrfs: %define _with_btrfs 1}}
+%if %{undefined _with_btrfs} && %{undefined _without_btrfs}
+%define _with_btrfs 1
+%endif
 
 Name: docker-ce
 Version: %{_version}
@@ -24,7 +26,10 @@ Requires: container-selinux >= 2:2.74
 Requires: libseccomp >= 2.3
 Requires: systemd
 Requires: iptables
+%if %{undefined rhel} || 0%{?rhel} < 9
+# Libcgroup is no longer available in RHEL/CentOS >= 9 distros.
 Requires: libcgroup
+%endif
 Requires: containerd.io >= 1.4.1
 Requires: tar
 Requires: xz
diff --git a/rpm/centos-8/Dockerfile b/rpm/centos-8/Dockerfile
index c4270befab..4f029c96c0 100644
--- a/rpm/centos-8/Dockerfile
+++ b/rpm/centos-8/Dockerfile
@@ -29,15 +29,15 @@ RUN if [ -f /etc/yum.repos.d/CentOS-Stream-PowerTools.repo ]; then sed -i 's/ena
 # https://forums.centos.org/viewtopic.php?f=54&t=72574, and
 # https://access.redhat.com/solutions/3720351
 RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
-RUN yum install -y rpm-build rpmlint yum-utils
+RUN dnf install -y rpm-build rpmlint dnf-plugins-core
 COPY SPECS /root/rpmbuild/SPECS
 
 # TODO change once we support scan-plugin on other architectures
 RUN \
   if [ "$(uname -m)" = "x86_64" ]; then \
-    yum-builddep --define '_without_btrfs 1' -y /root/rpmbuild/SPECS/*.spec; \
+    dnf builddep --define '_without_btrfs 1' -y /root/rpmbuild/SPECS/*.spec; \
   else \
-    yum-builddep --define '_without_btrfs 1' -y /root/rpmbuild/SPECS/docker-c*.spec; \
+    dnf builddep --define '_without_btrfs 1' -y /root/rpmbuild/SPECS/docker-c*.spec; \
   fi
 
 COPY --from=golang /usr/local/go /usr/local/go
diff --git a/rpm/centos-9/Dockerfile b/rpm/centos-9/Dockerfile
new file mode 100644
index 0000000000..614d7c4837
--- /dev/null
+++ b/rpm/centos-9/Dockerfile
@@ -0,0 +1,41 @@
+ARG GO_IMAGE
+ARG DISTRO=centos
+ARG SUITE=9
+ARG BUILD_IMAGE=quay.io/centos/${DISTRO}:stream${SUITE}
+
+FROM ${GO_IMAGE} AS golang
+
+FROM ${BUILD_IMAGE}
+ENV GOPROXY=direct
+ENV GO111MODULE=off
+ENV GOPATH=/go
+ENV PATH $PATH:/usr/local/go/bin:$GOPATH/bin
+ENV AUTO_GOPATH 1
+ENV DOCKER_BUILDTAGS exclude_graphdriver_btrfs seccomp selinux
+ENV RUNC_BUILDTAGS seccomp selinux
+ARG DISTRO
+ARG SUITE
+ENV DISTRO=${DISTRO}
+ENV SUITE=${SUITE}
+
+# RHEL8 / CentOS 8 changed behavior and no longer "rpm --import" or
+# "rpmkeys --import"as part of rpm package's %post scriplet. See
+# https://forums.centos.org/viewtopic.php?f=54&t=72574, and
+# https://access.redhat.com/solutions/3720351
+RUN rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
+RUN dnf install -y rpm-build rpmlint dnf-plugins-core
+RUN dnf config-manager --set-enabled crb
+
+COPY SPECS /root/rpmbuild/SPECS
+
+# TODO change once we support scan-plugin on other architectures
+RUN \
+  if [ "$(uname -m)" = "x86_64" ]; then \
+    dnf builddep --define '_without_btrfs 1' -y /root/rpmbuild/SPECS/*.spec; \
+  else \
+    dnf builddep --define '_without_btrfs 1' -y /root/rpmbuild/SPECS/docker-c*.spec; \
+  fi
+
+COPY --from=golang /usr/local/go /usr/local/go
+WORKDIR /root/rpmbuild
+ENTRYPOINT ["/bin/rpmbuild"]