OCI Standard — The Open Standard Behind Every Container
What Is the OCI Standard in Simple Terms?
The Open Container Initiative (OCI) is an open standard that defines exactly what a container image is and how it should run. Before OCI, Docker had its own proprietary format. OCI standardised the format so that images built with any tool — Docker, Podman, Buildah, Kaniko — can run on any OCI-compliant runtime — containerd, CRI-O, runc.
TEXT
Before OCI: Docker image format = Docker-proprietary Only Docker could build and run Docker images Vendor lock-in After OCI: OCI image format = open standard Build with: Docker, Podman, Buildah, Kaniko Run with: containerd, CRI-O, runc, Podman No vendor lock-inTwo OCI Specifications
Bash
OCI Image Spec: Defines: what a container image is Format: layers (tarballs), manifest (JSON), config (JSON) Every Docker image IS an OCI image docker build creates OCI-compliant images automatically OCI Runtime Spec: Defines: how to run a container from an OCI image runc: the reference implementation containerd uses runc internally Any runtime implementing this spec can run OCI imagesWhy OCI Matters
Bash
# Build with Docker, run with Podman (no Docker needed)docker build -t payment-api:latest .docker save payment-api:latest | podman loadpodman run payment-api:latest# Works because both speak OCI # Build without Docker (in CI without Docker daemon)# Kaniko runs inside Kubernetes, builds OCI imageskubectl run kaniko \ --image gcr.io/kaniko-project/executor \ -- --context=git://github.com/org/repo \ --destination registry.razorpay.in/payment-api:latest# Produces an OCI image that any runtime can execute # Build with Buildah (rootless, daemonless)buildah bud -t payment-api:latest .buildah push registry.razorpay.in/payment-api:latest# OCI image — works everywhereOCI and Docker — They Are the Same Format
Bash
# Inspect an image — it is an OCI manifestdocker manifest inspect nginx:1.25# {# "schemaVersion": 2,# "mediaType": "application/vnd.docker.distribution.manifest.v2+json",# "layers": [# {"mediaType": "application/vnd.docker.image.rootfs.diff.tar.gzip", ...}# ]# }# This is an OCI manifest — Docker and OCI specs converged # Modern Docker images use the OCI format natively# docker.distribution.manifest.v2 = OCI-compatiblePodman — Docker-Compatible OCI Tool
Bash
# Podman is a Docker-compatible CLI that uses OCI under the hood# No daemon required (rootless operation)# Same commands as Docker podman build -t myapp:latest .podman run -d myapp:latestpodman push registry.razorpay.in/myapp:latest # Drop-in replacement in most scripts:alias docker=podman# Most Docker commands work identically with PodmanREMEMBER THIS**Remember:** When you build a Docker image, you are actually creating an OCI image. Docker and the OCI standard are now essentially the same format. This means your images work with any modern container runtime — containerd on Kubernetes, Podman on developer laptops, or any other OCI-compliant tool — with no conversion or modification needed.