✦ For everyone, free.

Practical knowledge for real and everyday life

Home

2.2.3.1 OCI Image Spec

A focused guide to OCI Image Spec, connecting core concepts with practical Docker and container operations.

The OCI Image Spec is the published specification defining exactly how a container image's filesystem layers, configuration, and metadata must be structured and stored, so that any tool implementing the specification can build, store, transfer, and run images produced by any other compliant tool.

What the Specification Defines

The image spec describes three core pieces: a manifest listing the image's layers and pointing to its configuration, a configuration object describing runtime defaults (environment variables, the startup command, exposed ports), and the layers themselves, stored as compressed filesystem archives.

docker inspect myapp:1.0 --format '{{json .Config}}'

This reports the configuration object for an image, in a structure that conforms to the OCI image spec regardless of which tool built the image.

Layers as Content-Addressable Objects

Each layer is identified by a cryptographic digest of its content, which is what allows layers to be deduplicated across images and verified for integrity after being transferred between systems.

docker inspect myapp:1.0 --format '{{json .RootFS.Layers}}'

This lists the layer digests that make up an image, each one independently addressable and verifiable.

The Manifest as the Entry Point

A manifest ties everything together: it references the configuration object and lists the layers in the order they should be applied, giving any compliant tool a single, well-defined entry point for understanding an image's complete structure.

docker manifest inspect myapp:1.0
Why a Published Format Matters

Because the format is published and not tied to Docker specifically, other tools — podman, buildah, cloud-provider build services — can produce images that any OCI-compliant runtime can run, and registries that implement the related distribution spec can serve images regardless of which client uploaded them.

buildah build -t myapp:1.0 .
docker run myapp:1.0

An image built with an entirely different tool runs correctly with Docker, because both adhere to the same image specification.

Why This Matters for the Broader Ecosystem

The OCI Image Spec is the reason container tooling has not fragmented into incompatible, vendor-specific formats — any tool that wants to participate in the container ecosystem can do so by implementing this one shared specification.

Related content