Open Container Initiative (OCI)
Specifications:
runc - reference implementation of runtime spec
Founded in 2015 by leaders in the container industry
Version 1.0 was release in 2020
Currently 29 members
Technical oversight commitee from 8 companies
Overview of OCI specs w.r.t. image distribution
Image storage
APIs
Generic artifacts
Relationships between artifacts
Typical workflow interacting with a container registry
Widespread adoption of OCI media types
What | OCI | Docker |
---|---|---|
Image Index | vnd.oci.image.index.v1+json | vnd.docker.distribution.manifest.list.v2+json |
Image Manifest | vnd.oci.image.manifest.v1+json | vnd.docker.distribution.manifest.v2+json |
Image Config | vnd.oci.image.config.v1+json | vnd.docker.container.image.v1+json |
Image Layer | vnd.oci.image.layer.v1.tar+gzip | vnd.docker.image.rootfs.diff.tar.gzip |
Tell registry which content to return
Manifests can only be image index or image manifest
Content type must be known beforehand
Content types will be checked in order
Control which media type is returned
What if we used new media types?!
Initial project to store artifacts in OCI registries
Very low-level
Official guidance for artifacts
Upload generic artifacts to OCI registry
Cloud Native Application Bundles (CNAB)
Container signatures using sigstore’s cosign
OCI 1.0 already supports artifacts with custom media types
OCI 1.1 addresses generic artifacts…
…as well as linking them
Artifacts must include subject
field in manifest mentioning the parent
New referrers API manages links to parent artifact
Initial implementation in distribution by ORaS
Client tools: oras, trivy, trivy-plugin-referrer, regclient
Push image
Sign image, push signature and refer to image
Create SBOM, push it and refer to image
Sign SBOM, push signature and refer to image
Create sarif report, push it and refer to SBOM
Sign sarif report, push signature and refer to sarif report
Data as of 2023-01-05 using OCI v1.1.0-rc.1 (diff to v1.1.0-rc.3) updated 2023-11-15 with research
Registry | State | Remarks |
---|---|---|
Distribution | oras-project/distribution#59 | |
Docker Hub | ||
AWS ECR | looks like it | |
Azure ACR | announcement | |
GitHub GCR | ||
Google GAR | ||
Harbor | since v2.9.0 | |
Jfrog Artifactory | ||
Quay | since v3.8.6 | |
zot | since v1.3.4 |
Legend: unknown, underway, supported, unsupported
OCI 1.1 accomodates for slow adoption
Artifacts are stored…
sha256-<sha256>
Find linked artifacts:
sha256-*
subject
from manifestReferrers work even without support for OCI 1.1