What is an OCI Image
OCI (Open Container Initiative) — standards organisation (Linux Foundation, 2015) defining container image format + runtime + distribution. Docker, containerd, CRI-O — all OCI-compatible. Image = tarball layers + JSON manifest. OCI registry (distribution): Docker Hub, GHCR, ECR, Harbor. Since 2022 Helm charts also distribute via OCI registries.
Below: details, example, related terms, FAQ.
Details
- Image spec: manifest + config + layers (tar.gz each)
- Distribution spec: HTTP API for push/pull with registry
- Runtime spec: how runtime starts the container (runc, crun implementations)
- Multi-arch: manifest list for x86_64 + arm64 + s390x
- Artifacts: not only images — Helm charts, SBOMs, policies — all in OCI format
Example
# Inspect OCI manifest
docker manifest inspect nginx:latest
# Or with skopeo:
skopeo inspect --raw docker://nginx:latest
# Multi-arch build
docker buildx build --platform linux/amd64,linux/arm64 -t myimage:v1 .
# Push Helm chart as OCI
helm push mychart-1.0.0.tgz oci://ghcr.io/me/chartsRelated Terms
Learn more
Frequently Asked Questions
OCI vs Docker image?
Synonymous now. Docker donated image format to OCI in 2015. Docker images are OCI images. Some legacy formats (v1 Docker manifest) are not OCI and deprecated.
Registry choice?
Docker Hub: free but rate-limited (100 pulls/6h anonymous). GHCR: free for public. ECR: $$ but tight AWS integration. Harbor: self-host.
Signing/verification?
Sigstore (Cosign) — sign OCI artifacts + verify provenance. SBOM (Software Bill of Materials) — attach dep list to image. Policy enforcement — admission controllers.