The Open Container Initiative (OCI) standard is an open standard for Linux containers. As born in 2013, Docker has been a de-facto standard of Linux container framework, but the OCI standard was born for a need of open standard, based on the Docker manifest. As the standard is based on Docker manifest, its specifications and structures are very similar to Dockers’, enabling providing compatibilities between Docker and OCI-based container frameworks.
The official website says it contains two specifications (the Image Spec and the Runtime Spec), however, its Github repository actually contains three specification: the Image Spec, the Runtime Spec, and the Distribution Spec. That may be because that distribution is currently out of scope on the OCI Scope Table [link].
The OCI image layout of the Debian image from Docker Hub.
The OCI image consists of:
blobs/sha256: this directory contains information about image manifests and image layers, and compressed layer archives.
index.json: this JSON plaintext contains information about the list of image manifests.
oci-layout: this JSON plaintext contains the version of OCI layout… To be honest, I do not know how to use it.
The contents of
index.json of Debian OCI image.
anntations:org.opencontainers.image.ref.name usually represents a tag name [link].
Therefore, each OCI image directory can contain several image tags, all layers, manifests, configs of which are mixed in
The contents of
debian/blobs/sha256 directory. As indicated there is a file named with the digest
Contents of the image manifest
0578e4.... It explicitly defines the name of image config and layers. Those files are stored in the same directory with this manifest file.
As there is one tag in the image, contents of the directory
blobs/sha256 is quite simple.
Simple summarized diagram of OCI image directory layout.
The OCI Image Spec is much similar to Docker images. Similar to Docker framework, where a container needs to be created from an image, a runtime bundle should be generated from the OCI image.
Detailed explanations are out of this post, just leave a link about it. There are several tools to unpack an OCI image and to generate an OCI runtime bundle.
OCI image tool, we can unpack an OCI image to make a OCI runtime. And then, we can run a container with
As the environment is already running in an unprivileged Docker container, running a new container inside the container is impossible due to the restricted permission. It is supposed to run normally, executing a new shell in a container.