OCI (Open Container Initiative) — standards organisation (Linux Foundation, 2015) defining container image format + runtime + distribution. Docker, containerd, CRI-O — all OCI-compatible. Image = tarball layers + JSON manifest. OCI registry (distribution): Docker Hub, GHCR, ECR, Harbor. Since 2022 Helm charts also distribute via OCI registries.
Below: details, example, related terms, FAQ.
Free online tool — HTTP header checker: instant results, no signup.
# Inspect OCI manifest
docker manifest inspect nginx:latest
# Or with skopeo:
skopeo inspect --raw docker://nginx:latest
# Multi-arch build
docker buildx build --platform linux/amd64,linux/arm64 -t myimage:v1 .
# Push Helm chart as OCI
helm push mychart-1.0.0.tgz oci://ghcr.io/me/chartsThe OCI image format is a standardized method of packaging applications and their dependencies into a single, portable unit. An OCI image consists of multiple layers, each represented as a tarball, along with a JSON manifest that describes the image's structure and configuration.
Each layer in an OCI image is a file system change, which means that the final image is built incrementally. The layers are stacked and can be reused across different images, optimizing storage and download times. The config.json file within the image specifies runtime parameters, such as environment variables, entry points, and working directories.
Here's a breakdown of the key components of an OCI image:
By adhering to the OCI specifications, developers can ensure compatibility across various container runtimes and registries, promoting a more unified and interoperable ecosystem.
Creating and distributing OCI images is a straightforward process that can be accomplished using various tools like buildah and podman. Below are practical examples of how to build, tag, and push OCI images to a registry.
1. **Building an OCI Image**: You can use buildah to create an OCI-compliant image from a Dockerfile:
buildah bud -t myapp:latest .This command builds an image named myapp:latest based on the Dockerfile in the current directory.
2. **Pushing to an OCI Registry**: To push the built image to an OCI-compatible registry, use the following commands:
buildah push myapp:latest oci:myapp-oci:latestThis command pushes the image to the local OCI store. To push it to a remote registry, you would first need to tag it appropriately:
buildah tag myapp:latest myregistry.com/myapp:latest
buildah push myregistry.com/myapp:latest
3. **Using Podman**: If you prefer using podman, you can build and push images similarly:
podman build -t myapp:latest .
podman push myapp:latest myregistry.com/myapp:latestBy following these commands, developers can efficiently build and distribute OCI images, ensuring they meet the required standards for compatibility across various platforms.
While both OCI images and Docker images serve the same primary purpose—packaging applications and their dependencies—there are important distinctions between the two formats that developers should be aware of.
1. **Standardization**: OCI images are standardized under the Open Container Initiative, which provides a set of specifications for container image formats and runtimes. Docker images, while widely used, are not strictly compliant with these standards. This means that OCI images are designed to be compatible across different container runtimes, such as containerd and CRI-O.
2. **Image Composition**: Both OCI and Docker images consist of multiple layers and a manifest file. However, the specifications for these components differ slightly. For instance, the OCI image manifest includes an annotations field, which allows for additional metadata, while Docker images may not support this feature.
3. **Runtime Compatibility**: OCI images are compatible with any container runtime that adheres to the OCI specifications. Docker images can be run using Docker's runtime but may require conversion to OCI format for use with other runtimes. This can lead to a lack of portability for Docker images in multi-runtime environments.
4. **Distribution**: OCI images can be distributed through any OCI-compliant registry, such as Docker Hub, Google Container Registry, or GitHub Container Registry. Docker images are typically pushed to Docker Hub by default, which may not be suitable for all use cases.
In summary, while Docker images have been a cornerstone in the container ecosystem, OCI images provide a standardized and interoperable solution that enhances portability and compatibility across diverse environments.
Synonymous now. Docker donated image format to OCI in 2015. Docker images are OCI images. Some legacy formats (v1 Docker manifest) are not OCI and deprecated.
Docker Hub: free but rate-limited (100 pulls/6h anonymous). GHCR: free for public. ECR: $$ but tight AWS integration. Harbor: self-host.
Sigstore (Cosign) — sign OCI artifacts + verify provenance. SBOM (Software Bill of Materials) — attach dep list to image. Policy enforcement — admission controllers.
Free plan — 10 monitors, checks every 5 min, no card required. Upgrade for 1-minute interval and multi-region monitoring.