OCI Image Format Specification v1 Josh Wood DocOps at CoreOS @joshixisjosh9 

CoreOS runs the world’s containers We’re hiring: [email protected] [email protected] 90+ Projects on GitHub, 1,000+ Contributors coreos.com Support plans, training and more OPEN SOURCE ENTERPRISE 

Overview Making Containers Portable 

!Define fundamentals around which consensus can form !Are not a complete platform for production !Example: HTML Standards 

!Writing an HTML doc: by hand, generating with a CMS, or compiling with a static engine like Hugo !Rendering (executing) that doc: Browsers implement the standard HTML as a Standard 

!Different ways to create HTML - tools compete on that experience, not what they produce !Browsers compete on: render speed, UI features, upgrades/security, … !They agree on the standard Competing above standards 

!Discrete artifact containing everything an app needs to run !Dependencies, libraries, executable Containers: What even are they? 

The OCI Container Image standard is like HTML in our analogy: !Tools to build containers (actool, Docker (client), …) !Runtimes to execute them: OCI runtime (runc): Specifically: Docker, rkt, CRIO, et al Standards for containers 

Diverging implementations could: !Fragment communities and efforts !Do redundant work !Lock users into implementation and vendor Why we need standards for containers 

!Execution environment choice, features: rkt has some features for bootstap-level software packaged in containers. !Kubernetes has an interface, CRI, designed to make the runtime modular, replaceable !Migration among environments enables economic decisions about where things run Why you need standards for containers 

History The road to the OCI Image Format 

c.2014 Docker, obvs, and Docker v1 and v2 image formats Rkt and AppC, `.aci` images Tools, runtime, and image format: All different History: Before the OCI Image standard 

A CLI for running app containers on Linux. Focuses on: ! Security ! Modularity ! Standards/Compatibility 

A CLI for running app containers on Linux. Modularity: Internal ! Stages of execution ! Fly, cgroups/ns, KVM vm ○SAME CONTAINER 

!The OCI brings together CoreOS, Docker, Red Hat, Google, Microsoft and others to define standards for software containers !April 2016: Efforts begin on OCI Container Image Format Specification !Based on Docker v2.2 image structure Open Container Initiative 

The Standard OCI Container Image Specification v1.0 

!Resize/Upgrade - coordination for availability !Layout - inherits Docker v2.2 layers !Distribution - out of OCI scope !Sign/Verify - Optional OCI Container Image Specification 

OCI Container Image ancestry Docker v1 appc Docker v2 OCI Image Spec Content-addr No Yes Yes Yes Signable No Yes Yes, optional Yes, optional* Federated namespace Yes Yes Yes Yes Introduced 2013 2014 April 2015 July 2017 

https://coreos.com/blog/oci-image-specification.html https://coreos.com/blog/making-sense-of-standards.html https://blog.docker.com/2017/07/demystifying-open-container-initiative-oci- specifications/ And of course: https://github.com/opencontainers/image-spec https://www.opencontainers.org/about/oci-scope-table URLs 

[email protected] @joshixisjosh9 joshix.com QUESTIONS? Thanks! We’re hiring: coreos.com/careers Let’s talk! CoreOS-User google group More events: coreos.com/ community LONGER CHAT?