OCI Container and Artifact Registry

What is an OCI Artifact Registry?

An OCI Artifact Registry is a service designed to store and manage software artifacts. In OCI terminology, these artifacts are stored as "blobs" (binary large objects), which can be container images, Helm charts, Terraform modules, or other software components. Each blob is uniquely addressable by a digest, making it easy to track and manage throughout the software development and deployment workflows.

These registries support the Open Container Initiative (OCI) standard, ensuring interoperability and consistency in artifact handling across different systems and environments.

What is an Artifact in Software?

In computer science, a software artifact (or artefact, both spellings are used, but artifact is more common) refers to any tangible by-product produced during software development or operations. Examples include container images, compiled binaries, documentation, and infrastructure templates such as Terraform modules.

Benefits of Using OCI Artifact Registries

OCI Artifact Registries provide several advantages:

Minimal Footprint: Registries optimize artifact storage by deduplicating identical (base-)layers.
Centralized Artifact Management: By centralizing software artifacts, registries enable efficient version control, reducing complexity when managing deployments, updates, and rollbacks.
Enhanced Container Base Security: By managing artifacts in a dedicated registry, organizations can enforce container image security policies, ensuring that only vetted and secure images are deployed in environments.
Usage Tracking and Analytics: Although usage tracking and analytics aren't standard features in most OCI registries, having the capability to have an audit log for artifact downloads is highly valuable.

Platforms like the Distr registry offer these advanced analytics capabilities.

How OCI Artifact Registries Enable On-Premises Software Delivery

OCI Artifact Registries significantly simplify software artifact distribution, particularly for on-premises environments:

Private Registries for Controlled Deployment: Organizations leveraging on-premises solutions often require full control over artifact distribution. OCI-compliant private registries ensure artifacts, like Terraform modules from a private Terraform registry or private enterprise Helm charts are securely and privately accessible to authorized environments.
Reliable Artifact Supply Chain: OCI Artifact Registries are key parts in building a reliable software artifact supply chain, allowing secure, verified software artifacts to flow seamlessly from development to production environments.
Self-Managed Registries: Organizations requiring single-tenancy or strict compliance benefit from OCI Artifact by hosting their own artifact registry internally, so they can distribute containers withing their network.

Pushing and Pulling from OCI Registries

OCI registries support standardized ways to push and pull artifacts. ORAS (OCI Registry As Storage) is a common tool used for this purpose.

note

To install ORAS:

macOS: brew install oras
Windows: choco install oras
Linux:

curl -LO https://github.com/oras-project/oras/releases/download/v1.1.0/oras_1.1.0_linux_amd64.tar.gz
mkdir -p oras-install/
tar -zxf oras_1.1.0_linux_amd64.tar.gz -C oras-install/
sudo mv oras-install/oras /usr/local/bin/
rm -rf oras_1.1.0_linux_amd64.tar.gz oras-install/

You can verify the installation with: oras version

Basic usage of ORAS:

# Push an artifact
oras push registry.example.com/hello-artifact:v1 \
    --artifact-type application/vnd.unknown.artifact.v1 \
    ./hello.txt:text/plain

# Pull an artifact
oras pull registry.example.com/hello-artifact:v1

OCI Registry for Terraform modules

Terraform private registries specifically store Terraform modules, enabling secure sharing and reuse of infrastructure templates within an organization. OCI Artifact Registries can similarly store Terraform modules alongside container images and other software artifacts, simplifying infrastructure-as-code workflows.

Example of pushing a Terraform module:

tar cvzf my-module.tar.gz my-module/
oras push my-registry.example.com/my-terraform-module:v1.0 \
  --artifact-type application/vnd.hashicorp.terraform.module.v1+tar.gz \
  my-module.tar.gz

OCI Registry for Helm Charts

Beginning from Helm v3.8.0 OCI support is enabled by default and provides a standardized way to manage and share Helm charts securely across different environments.

Example:

helm package my-chart/
helm push my-chart-0.1.0.tgz oci://my-registry.example.com/helm-charts

Examples of OCI registries

Some examples of OCI registries include:

Open Source:

Hosted:

Open source OCI registries reference implementation

These projects serve as reference implementations for building OCI-compliant registries:

OCI registry specifications

OCI registry specifications define the standards for storing, distributing, and running containerized applications in a consistent and interoperable way. These specifications ensure compatibility across different registries, runtimes, and container tools, enabling a reliable ecosystem for modern software deployment.

These are the three OCI specifications

OCI Image Format Specification – Defining how container images should be structured, stored, and transported.
OCI Distribution Specification – Standardizing how container images and artifacts are distributed via OCI-compliant registries.
OCI Runtime Specification – Specifying the low-level execution environment for running OCI-compliant containers.

OCI registry conformance

OCI registry conformance ensures that a registry has been tested against the OCI Distribution Specification. There are no conformance tests available for the runtime or image format specs yet, verifying its adherence to OCI standards and ensuring interoperability with OCI-compliant tools.

A conformant registry must support APIs categorized into the following workflow groups:

Pull - Clients are able to pull from the registry
Push - Clients are able to push to the registry
Content Discovery - Clients are able to list or otherwise query the content stored in the registry
Content Management - Clients are able to control the full life-cycle of the content stored in the registry

To be considered an OCI-conformant registry, at minimum, all APIs in the Pull category must be supported.

Conformance testing

If you are developing a registry service and want to verify compliance with these workflow categories, use the conformance testing tool.

note

Check out conformance results for major open-source and hosted artifact registries.

Key Terms Recap

Software Artifacts Examples: Container images, Terraform modules, Helm charts, binaries, documentation.
Artifact Meaning in Software: Any product or by-product created during software development or deployment.
Container Image Security: Practices ensuring container images stored in registries are secure and minimal to reduce vulnerabilities.
Secure Docker Images: Docker images hardened against security threats, stored securely in OCI-compliant registries.
Blob: The binary form of content that is stored by a registry, addressable by a digest. Blobs are the fundamental storage unit in OCI registries.

What is an OCI Artifact Registry?​

What is an Artifact in Software?​

Benefits of Using OCI Artifact Registries​

How OCI Artifact Registries Enable On-Premises Software Delivery​

Pushing and Pulling from OCI Registries​

OCI Registry for Terraform modules​

OCI Registry for Helm Charts​

Examples of OCI registries​

Open Source:​

Hosted:​

Open source OCI registries reference implementation​

OCI registry specifications​

OCI registry conformance​

Conformance testing​

Key Terms Recap​