Open Container Initiative (OCI) Standard, Image Spec

The Open Container Initiative (OCI) standard is an open standard for Linux containers. As born in 2013, Docker has been a de-facto standard of Linux container framework, but the OCI standard was born for a need of open standard, based on the Docker manifest. As the standard is based on Docker manifest, its specifications and structures are very similar to Dockers’, enabling providing compatibilities between Docker and OCI-based container frameworks.

The official website says it contains two specifications (the Image Spec and the Runtime Spec), however, its Github repository actually contains three specification: the Image Spec, the Runtime Spec, and the Distribution Spec. That may be because that distribution is currently out of scope on the OCI Scope Table [link].

Image Spec

The OCI Image Spec is based on Docker Image Manifest Version 2.2. The architecture is very similar; hence docker images are convertible to the corresponding OCI image by using skopeo utility.

skopeo copy The OCI image layout of the Debian image from Docker Hub.

The OCI image consists of:

debian_index The contents of index.json of Debian OCI image. usually represents a tag name [link]. Therefore, each OCI image directory can contain several image tags, all layers, manifests, configs of which are mixed in blobs/sha256 directory.

debian_blobs The contents of debian/blobs/sha256 directory. As indicated there is a file named with the digest sha256:0578... from index.json file.

debian_config Contents of the image manifest 0578e4.... It explicitly defines the name of image config and layers. Those files are stored in the same directory with this manifest file.

As there is one tag in the image, contents of the directory blobs/sha256 is quite simple.

oci layout Simple summarized diagram of OCI image directory layout.

Runtime Spec

The OCI Image Spec is much similar to Docker images. Similar to Docker framework, where a container needs to be created from an image, a runtime bundle should be generated from the OCI image.

Detailed explanations are out of this post, just leave a link about it. There are several tools to unpack an OCI image and to generate an OCI runtime bundle.

With umoci or OCI image tool, we can unpack an OCI image to make a OCI runtime. And then, we can run a container with runc.

umoci_runc As the environment is already running in an unprivileged Docker container, running a new container inside the container is impossible due to the restricted permission. It is supposed to run normally, executing a new shell in a container.