The OCI Specification is an open governance project under the Linux Foundation that standardizes the image format, distribution protocol, and runtime configuration for containers. It defines how container images are packaged as layered filesystem bundles and how runtimes must execute them, ensuring any OCI-compliant image runs on any OCI-compliant runtime.
Glossary
OCI Specification

What is OCI Specification?
The Open Container Initiative (OCI) Specification defines open industry standards for container image formats and runtime configurations, ensuring interoperability across registries and execution environments.
The specification consists of three core components: the Image Specification defining the manifest, configuration, and layer serialization; the Runtime Specification governing container lifecycle and state; and the Distribution Specification standardizing the API for pushing and pulling content. This decoupling enables organizations to build private registries and custom runtimes without vendor lock-in.
Key Features of the OCI Specification
The Open Container Initiative (OCI) defines three core specifications that govern how container images are built, stored, and executed across any compliant runtime or registry.
Image Format Specification
Defines the content-addressable structure of container images as a Merkle tree of descriptors. An image consists of:
- Manifest: JSON document referencing a config blob and ordered layer blobs
- Config: Execution parameters including environment variables, entrypoint, and architecture
- Layers: Gzipped tar archives representing filesystem changes applied in sequence
Each component is identified by a SHA256 digest, enabling cryptographic integrity verification and deduplication across registries.
Distribution Specification
Standardizes the HTTP API for pushing and pulling content to and from registries. Key endpoints include:
- PUT /v2/<name>/manifests/<ref>: Upload a manifest
- GET /v2/<name>/blobs/<digest>: Fetch a layer by content hash
- HEAD requests: Check existence without downloading
This API enables cross-registry interoperability, allowing tools like Skopeo to copy images between any OCI-compliant registry without vendor lock-in.
Runtime Specification
Defines how to unpack and execute an OCI image on a host system. Specifies:
- Filesystem bundle layout: How layers are merged into a rootfs directory
- config.json: JSON document defining process isolation, cgroups, namespaces, seccomp profiles, and mount points
- Lifecycle hooks: Pre-start, post-start, and post-stop operations
This ensures that any OCI-compliant runtime—such as runc, crun, or gVisor—can execute the same image identically.
OCI Artifacts Extension
Extends registries beyond container images to store arbitrary artifact types. Uses the OCI Artifact Manifest to reference any content type:
- Helm charts stored as OCI artifacts
- SBOMs and vulnerability scan results attached to images
- Cosign signatures and Sigstore attestations
Artifacts are referenced via the referrers API, enabling discovery of all supplementary metadata associated with a given image digest without modifying the original manifest.
Content Addressability
Every blob and manifest is addressed by its cryptographic digest rather than a mutable tag. This provides:
- Tamper detection: Any modification changes the digest
- Deduplication: Identical layers are stored once across all images
- Deterministic pulls: The same digest always yields identical content
Tags remain as mutable pointers to digests, but production deployments should reference digests directly for immutable, verifiable deployments.
Multi-Architecture Index
The OCI Image Index (or Docker Manifest List) allows a single tag to reference multiple platform-specific manifests. An index contains:
- Array of descriptors with
platformfields (os, architecture, variant) - Each descriptor points to a full image manifest for that platform
Runtimes automatically select the matching manifest for their architecture, enabling a single nginx:latest tag to serve amd64, arm64, s390x, and other architectures transparently.
Frequently Asked Questions
Clarifying the foundational open standards that govern container image formats, distribution, and runtime configuration to ensure universal interoperability across cloud-native toolchains.
The OCI Specification is an open industry standard developed under the Open Container Initiative that defines the technical format for container images and their runtime configuration. It works by splitting the container ecosystem into three distinct specifications: the Image Specification (defining the filesystem bundle, layers, and manifest), the Runtime Specification (defining how to unpack and execute the filesystem bundle), and the Distribution Specification (defining the API protocol for pushing and pulling images). By strictly defining these interfaces, the OCI ensures that an image built with one tool can be executed on any compliant runtime, such as containerd or CRI-O, without vendor lock-in.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Core concepts that interact with the OCI Specification to form a complete container image management and security lifecycle.
Multi-Arch Image
An OCI Image Index (or Docker manifest list) that references multiple platform-specific image manifests under a single tag. Each entry specifies the platform.os and platform.architecture (e.g., linux/amd64, linux/arm64). When a runtime pulls the tag, it automatically selects the manifest matching its architecture. This enables seamless cross-platform deployment without manual architecture selection.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us