Inferensys

Glossary

OCI Specification

An open industry standard defining the format and runtime configuration for container images and their filesystem layers to ensure interoperability across registries and runtimes.
Compute infrastructure aisle representing runtime, scale, and model serving.
CONTAINER INTEROPERABILITY STANDARD

What is OCI Specification?

The Open Container Initiative (OCI) Specification defines open industry standards for container image formats and runtime configurations, ensuring interoperability across registries and execution environments.

The OCI Specification is an open governance project under the Linux Foundation that standardizes the image format, distribution protocol, and runtime configuration for containers. It defines how container images are packaged as layered filesystem bundles and how runtimes must execute them, ensuring any OCI-compliant image runs on any OCI-compliant runtime.

The specification consists of three core components: the Image Specification defining the manifest, configuration, and layer serialization; the Runtime Specification governing container lifecycle and state; and the Distribution Specification standardizing the API for pushing and pulling content. This decoupling enables organizations to build private registries and custom runtimes without vendor lock-in.

CONTAINER STANDARDS

Key Features of the OCI Specification

The Open Container Initiative (OCI) defines three core specifications that govern how container images are built, stored, and executed across any compliant runtime or registry.

01

Image Format Specification

Defines the content-addressable structure of container images as a Merkle tree of descriptors. An image consists of:

  • Manifest: JSON document referencing a config blob and ordered layer blobs
  • Config: Execution parameters including environment variables, entrypoint, and architecture
  • Layers: Gzipped tar archives representing filesystem changes applied in sequence

Each component is identified by a SHA256 digest, enabling cryptographic integrity verification and deduplication across registries.

02

Distribution Specification

Standardizes the HTTP API for pushing and pulling content to and from registries. Key endpoints include:

  • PUT /v2/<name>/manifests/<ref>: Upload a manifest
  • GET /v2/<name>/blobs/<digest>: Fetch a layer by content hash
  • HEAD requests: Check existence without downloading

This API enables cross-registry interoperability, allowing tools like Skopeo to copy images between any OCI-compliant registry without vendor lock-in.

03

Runtime Specification

Defines how to unpack and execute an OCI image on a host system. Specifies:

  • Filesystem bundle layout: How layers are merged into a rootfs directory
  • config.json: JSON document defining process isolation, cgroups, namespaces, seccomp profiles, and mount points
  • Lifecycle hooks: Pre-start, post-start, and post-stop operations

This ensures that any OCI-compliant runtime—such as runc, crun, or gVisor—can execute the same image identically.

04

OCI Artifacts Extension

Extends registries beyond container images to store arbitrary artifact types. Uses the OCI Artifact Manifest to reference any content type:

  • Helm charts stored as OCI artifacts
  • SBOMs and vulnerability scan results attached to images
  • Cosign signatures and Sigstore attestations

Artifacts are referenced via the referrers API, enabling discovery of all supplementary metadata associated with a given image digest without modifying the original manifest.

05

Content Addressability

Every blob and manifest is addressed by its cryptographic digest rather than a mutable tag. This provides:

  • Tamper detection: Any modification changes the digest
  • Deduplication: Identical layers are stored once across all images
  • Deterministic pulls: The same digest always yields identical content

Tags remain as mutable pointers to digests, but production deployments should reference digests directly for immutable, verifiable deployments.

06

Multi-Architecture Index

The OCI Image Index (or Docker Manifest List) allows a single tag to reference multiple platform-specific manifests. An index contains:

  • Array of descriptors with platform fields (os, architecture, variant)
  • Each descriptor points to a full image manifest for that platform

Runtimes automatically select the matching manifest for their architecture, enabling a single nginx:latest tag to serve amd64, arm64, s390x, and other architectures transparently.

OCI SPECIFICATION

Frequently Asked Questions

Clarifying the foundational open standards that govern container image formats, distribution, and runtime configuration to ensure universal interoperability across cloud-native toolchains.

The OCI Specification is an open industry standard developed under the Open Container Initiative that defines the technical format for container images and their runtime configuration. It works by splitting the container ecosystem into three distinct specifications: the Image Specification (defining the filesystem bundle, layers, and manifest), the Runtime Specification (defining how to unpack and execute the filesystem bundle), and the Distribution Specification (defining the API protocol for pushing and pulling images). By strictly defining these interfaces, the OCI ensures that an image built with one tool can be executed on any compliant runtime, such as containerd or CRI-O, without vendor lock-in.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.