diff --git a/docker/Dockerfile b/docker/Dockerfile
new file mode 100644
index 00000000..47be5a40
--- /dev/null
+++ b/docker/Dockerfile
@@ -0,0 +1,75 @@
+FROM debian:11 as build
+
+RUN apt-get update && \
+    apt-get install -y --no-install-recommends \
+        git clang make binutils autoconf automake autotools-dev libtool \
+        pkg-config \
+        zlib1g-dev libev-dev libjemalloc-dev ruby-dev libc-ares-dev bison \
+        libelf-dev
+
+RUN git clone --depth 1 -b openssl-3.0.0+quic https://github.com/quictls/openssl && \
+    cd openssl && \
+    ./config --openssldir=/etc/ssl && \
+    make -j$(nproc) && \
+    make install_sw && \
+    cd .. && \
+    rm -rf openssl
+
+RUN git clone --depth 1 https://github.com/ngtcp2/nghttp3 && \
+    cd nghttp3 && \
+    autoreconf -i && \
+    ./configure --enable-lib-only && \
+    make -j$(nproc) && \
+    make install-strip && \
+    cd .. && \
+    rm -rf nghttp3
+
+RUN git clone --depth 1 https://github.com/ngtcp2/ngtcp2 && \
+    cd ngtcp2 && \
+    autoreconf -i && \
+    ./configure --enable-lib-only \
+        LIBTOOL_LDFLAGS="-static-libtool-libs" \
+        OPENSSL_LIBS="-l:libssl.a -l:libcrypto.a -ldl -lpthread" \
+        PKG_CONFIG_PATH="/usr/local/lib64/pkgconfig" && \
+    make -j$(nproc) && \
+    make install-strip && \
+    cd .. && \
+    rm -rf ngtcp2
+
+RUN git clone --depth 1 -b v0.4.0 https://github.com/libbpf/libbpf && \
+    cd libbpf && \
+    PREFIX=/usr/local make -C src install && \
+    cd .. && \
+    rm -rf libbpf
+
+RUN git clone --depth 1 https://github.com/nghttp2/nghttp2.git && \
+    cd nghttp2 && \
+    git submodule update --init && \
+    autoreconf -i && \
+    ./configure --disable-examples --disable-hpack-tools \
+        --disable-python-bindings --with-mruby --with-neverbleed \
+        --enable-http3 --with-libbpf \
+        CC=clang CXX=clang++ \
+        LIBTOOL_LDFLAGS="-static-libtool-libs" \
+        OPENSSL_LIBS="-l:libssl.a -l:libcrypto.a -ldl -pthread" \
+        LIBEV_LIBS="-l:libev.a" \
+        JEMALLOC_LIBS="-l:libjemalloc.a" \
+        LIBCARES_LIBS="-l:libcares.a" \
+        ZLIB_LIBS="-l:libz.a" \
+        LIBBPF_LIBS="-L/usr/local/lib64 -l:libbpf.a -l:libelf.a" \
+        LDFLAGS="-static-libgcc -static-libstdc++" \
+        PKG_CONFIG_PATH="/usr/local/lib64/pkgconfig" && \
+    make -j$(nproc) install-strip && \
+    cd .. && \
+    rm -rf nghttp2
+
+FROM gcr.io/distroless/base-debian11
+
+COPY --from=build \
+    /usr/local/bin/h2load \
+    /usr/local/bin/nghttpx \
+    /usr/local/bin/nghttp \
+    /usr/local/bin/nghttpd \
+    /usr/local/bin/
+COPY --from=build /usr/local/lib/nghttp2/reuseport_kern.o \
+    /usr/local/lib/nghttp2/
diff --git a/docker/Dockerfile-h2load-http3 b/docker/Dockerfile-h2load-http3
deleted file mode 100644
index b5dcd411..00000000
--- a/docker/Dockerfile-h2load-http3
+++ /dev/null
@@ -1,39 +0,0 @@
-FROM debian:10 as build
-
-RUN apt-get update && \
-    apt-get install -y --no-install-recommends \
-        git g++ make binutils autoconf automake autotools-dev libtool \
-        pkg-config \
-        zlib1g-dev libev-dev libjemalloc-dev ruby-dev libc-ares-dev bison && \
-    git clone --depth 1 -b OpenSSL_1_1_1l+quic https://github.com/quictls/openssl && \
-    cd openssl && ./config enable-tls1_3 --openssldir=/etc/ssl && make -j$(nproc) && make install_sw && cd .. && rm -rf openssl && \
-    git clone --depth 1 https://github.com/ngtcp2/nghttp3 && \
-    cd nghttp3 && autoreconf -i && \
-    ./configure --enable-lib-only && \
-    make -j$(nproc) && make install-strip && cd .. && rm -rf nghttp3 && \
-    git clone --depth 1 https://github.com/ngtcp2/ngtcp2 && \
-    cd ngtcp2 && autoreconf -i && \
-    ./configure --enable-lib-only \
-        LIBTOOL_LDFLAGS="-static-libtool-libs" \
-        OPENSSL_LIBS="-l:libssl.a -l:libcrypto.a -ldl -lpthread" && \
-    make -j$(nproc) && make install-strip && cd .. && rm -rf ngtcp2 && \
-    git clone --depth 1 https://github.com/nghttp2/nghttp2.git && \
-    cd nghttp2 && \
-    git submodule update --init && autoreconf -i && \
-    ./configure --disable-examples --disable-hpack-tools \
-        --disable-python-bindings --with-mruby --with-neverbleed \
-        --enable-http3 \
-        LIBTOOL_LDFLAGS="-static-libtool-libs" \
-        LIBS="-ldl -pthread" \
-        OPENSSL_LIBS="-l:libssl.a -l:libcrypto.a" \
-        LIBEV_LIBS="-l:libev.a" \
-        JEMALLOC_LIBS="-l:libjemalloc.a" \
-        LIBCARES_LIBS="-l:libcares.a" \
-        ZLIB_LIBS="-l:libz.a" && \
-    make -j$(nproc) install-strip
-
-FROM gcr.io/distroless/cc-debian10
-
-COPY --from=build /usr/local/bin/h2load /usr/local/bin/
-
-ENTRYPOINT ["/usr/local/bin/h2load"]
diff --git a/docker/README.rst b/docker/README.rst
new file mode 100644
index 00000000..7f3a6b59
--- /dev/null
+++ b/docker/README.rst
@@ -0,0 +1,25 @@
+Dockerfile
+==========
+
+Dockerfile creates the applications bundled with nghttp2.
+These applications are:
+
+- nghttp
+- nghttpd
+- nghttpx
+- h2load
+
+HTTP/3 and eBPF features are enabled.
+
+In order to run nghttpx with HTTP/3 endpoint, you need to run the
+image with the escalated privilege and higher memlock value.  Here is
+the example command-line to run nghttpx to listen to HTTP/3 on port
+443, assuming that the current directory contains a private key and a
+certificate in server.key and server.crt respectively :
+
+.. code-block:: text
+
+   $ docker run --rm -it -v $PWD:/shared --net=host --privileged \
+         --ulimit memlock=2048000 nghttp2 nghttpx \
+         /shared/server.key /shared/server.crt \
+         -f'*,443;quic'