2.2.3 OCI Standard Layer
A focused guide to OCI Standard Layer, connecting core concepts with practical Docker and container operations.
The OCI standard layer is the set of published specifications — the Open Container Initiative's image format and runtime format — that define, independently of any single vendor, what a container image looks like and how a compliant runtime should execute it, which is what allows Docker, containerd, runc, Kubernetes, and other tools to interoperate.
Two Core Specifications
The OCI defines two separate specifications: the image specification, which describes how an image's layers, configuration, and metadata are structured and stored, and the runtime specification, which describes the configuration format a runtime like runc consumes to create a container.
cat manifest.json
An OCI image manifest, in this format, lists the image's layers by content digest and references its configuration, in a format any OCI-compliant tool can parse, regardless of which tool produced it.
Why Standardization Matters
Before this standardization, different container tools risked producing incompatible image formats, which would have fragmented the ecosystem into tool-specific silos. Because Docker, podman, and other build tools all produce OCI-compliant images, an image built with one tool can be run by any other OCI-compliant runtime.
docker build -t myapp -f Dockerfile .
podman run myapp
An image built with Docker can, in practice, be run with an entirely different tool, because both adhere to the same underlying image specification.
The Runtime Specification's Role
The runtime specification standardizes the configuration format passed to a low-level runtime like runc, meaning higher-level tools (Docker's containerd, or other systems) can generate this configuration without needing to know the internal implementation details of whichever specific runtime ultimately consumes it.
runc spec
This produces a configuration conforming to the OCI runtime specification, independent of any particular higher-level tool.
Distribution Specification
A related, newer OCI specification standardizes how registries serve and accept images over the network, ensuring that any OCI-compliant client can push to or pull from any OCI-compliant registry, regardless of vendor.
docker push myregistry.example.com/myapp:1.0
Why the OCI Standard Layer Matters
This shared standard is the reason container tooling built by different organizations — build tools, runtimes, orchestrators, registries — can be mixed and matched freely, rather than requiring an entire matched set of tools from a single vendor to work together.