diff --git a/roles/install-openshift/tasks/main.yaml b/roles/install-openshift/tasks/main.yaml
index d897efa57..a36d229ee 100644
--- a/roles/install-openshift/tasks/main.yaml
+++ b/roles/install-openshift/tasks/main.yaml
@@ -25,6 +25,20 @@
     state: absent
   become: yes
 
+- name: Ensure "docker" group exists
+  become: true
+  group:
+    name: docker
+    state: present
+
+- name: Add user to docker group
+  become: true
+  user:
+    name: "{{ ansible_user }}"
+    groups:
+      - docker
+    append: yes
+
 - name: Start docker service
   service:
     name: docker
@@ -41,3 +55,12 @@
     - origin-pod
     - origin
   become: yes
+
+- name: Set group ownership of docker socket
+  become: true
+  file:
+    path: /var/run/docker.sock
+    group: docker
+
+- name: Reset ssh connection to pick up docker group
+  meta: reset_connection
diff --git a/roles/use-buildset-registry/tasks/main.yaml b/roles/use-buildset-registry/tasks/main.yaml
index 212669e38..e8e663be2 100644
--- a/roles/use-buildset-registry/tasks/main.yaml
+++ b/roles/use-buildset-registry/tasks/main.yaml
@@ -1,3 +1,12 @@
+- name: Include OS-specific variables
+  include_vars: "{{ item }}"
+  with_first_found:
+    - "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yaml"
+    - "{{ ansible_distribution }}.{{ ansible_architecture }}.yaml"
+    - "{{ ansible_distribution }}.yaml"
+    - "{{ ansible_os_family }}.yaml"
+    - "default.yaml"
+
 # Docker doesn't understand docker push [1234:5678::]:5000/image/path:tag
 # so we set up /etc/hosts with a registry alias name to support ipv6 and 4.
 - name: Configure /etc/hosts for buildset_registry to workaround docker not understanding ipv6 addresses
@@ -27,9 +36,9 @@
   become: true
   copy:
     content: "{{ buildset_registry.cert }}"
-    dest: "/usr/local/share/ca-certificates/buildset-registry.crt"
+    dest: "{{ ca_dir }}/buildset-registry.crt"
 - name: Update CA certs
-  command: update-ca-certificates
+  command: "{{ ca_command }}"
   become: true
 
 # Update daemon config
diff --git a/roles/use-buildset-registry/vars/CentOS.yaml b/roles/use-buildset-registry/vars/CentOS.yaml
new file mode 100644
index 000000000..c2b260ab2
--- /dev/null
+++ b/roles/use-buildset-registry/vars/CentOS.yaml
@@ -0,0 +1,2 @@
+ca_dir: /etc/pki/ca-trust/source/anchors
+ca_command: update-ca-trust
diff --git a/roles/use-buildset-registry/vars/default.yaml b/roles/use-buildset-registry/vars/default.yaml
new file mode 100644
index 000000000..7bea1b23b
--- /dev/null
+++ b/roles/use-buildset-registry/vars/default.yaml
@@ -0,0 +1,2 @@
+ca_dir: /usr/local/share/ca-certificates
+ca_command: update-ca-certificates
diff --git a/test-playbooks/registry/buildset-registry-openshift-docker.yaml b/test-playbooks/registry/buildset-registry-openshift-docker.yaml
new file mode 100644
index 000000000..dbb2d5fcd
--- /dev/null
+++ b/test-playbooks/registry/buildset-registry-openshift-docker.yaml
@@ -0,0 +1,27 @@
+- hosts: all
+  roles:
+    - role: clear-firewall
+    - role: install-openshift
+    - role: use-buildset-registry
+      buildset_registry_docker_user: root
+    - role: deploy-openshift
+  tasks:
+    - name: Wait for cluster to come up
+      command: kubectl cluster-info
+      register: result
+      until: result.rc == 0
+      retries: 5
+      delay: 30
+    - name: Run a local test pod
+      command: oc run --generator=run-pod/v1 --image=zuul/docker-testimage dockertest
+    - name: Wait for the pod to be ready
+      command: oc wait --for=condition=Ready pod/dockertest --timeout=60s
+    - name: Check the output of the pod
+      shell: "oc logs pod/dockertest | grep 'Zuul container test'"
+
+    - name: Run a remote test pod
+      command: oc run --generator=run-pod/v1 --image=debian:testing upstream-dockertest --command -- /bin/bash -c 'echo Upstream; sleep infinity'
+    - name: Wait for the pod to be ready
+      command: oc wait --for=condition=Ready pod/upstream-dockertest --timeout=60s
+    - name: Check the output of the pod
+      shell: "oc logs pod/upstream-dockertest | grep 'Upstream'"
diff --git a/zuul-tests.d/container-roles-jobs.yaml b/zuul-tests.d/container-roles-jobs.yaml
index 46a291619..2922ea23e 100644
--- a/zuul-tests.d/container-roles-jobs.yaml
+++ b/zuul-tests.d/container-roles-jobs.yaml
@@ -111,6 +111,33 @@
     vars:
       container_command: docker
 
+- job:
+    name: zuul-jobs-test-registry-buildset-registry-openshift-docker
+    dependencies: zuul-jobs-test-registry-buildset-registry
+    description: |
+      Test a buildset registry with openshift and docker
+
+      It is not meant to be used directly but rather run on changes
+      to roles in the zuul-jobs repo.
+    files:
+      - roles/pull-from-intermediate-registry/.*
+      - roles/push-to-intermediate-registry/.*
+      - roles/install-docker/.*
+      - roles/install-openshift/.*
+      - roles/build-docker-image/.*
+      - roles/run-buildset-registry/.*
+      - roles/use-buildset-registry/.*
+      - test-playbooks/registry/.*
+    run: test-playbooks/registry/buildset-registry-openshift-docker.yaml
+    post-run:
+      - test-playbooks/registry/test-registry-post.yaml
+    vars:
+      container_command: docker
+    nodeset:
+      nodes:
+        - name: controller
+          label: centos-7
+
 - job:
     name: zuul-jobs-test-install-kubernetes-docker
     description: |
@@ -166,6 +193,7 @@
         - zuul-jobs-test-registry-podman
         - zuul-jobs-test-registry-buildset-registry
         - zuul-jobs-test-registry-buildset-registry-k8s-docker
+        - zuul-jobs-test-registry-buildset-registry-openshift-docker
         - zuul-jobs-test-install-kubernetes-docker
         - zuul-jobs-test-install-kubernetes-crio
         - zuul-jobs-test-install-podman