oci
CLI tool for spawning and running containers according to the OCI specification.
youki is an implementation of the OCI runtime-spec in Rust, similar to runc.
The Container Security Platform. Application Kernel for Containers.
gVisor provides a strong layer of isolation between running applications and the host operating system. It is an application kernel that implements a Linux-like interface. Unlike Linux, it is written in a memory-safe language (Go) and runs in userspace.
gVisor includes an Open Container Initiative (OCI) runtime called runsc that makes it easy to work with existing container tooling. The runsc runtime integrates with Docker and Kubernetes, making it simple to run sandboxed containers.
layerleak the Docker Hub Secret Scanner.
Traditional secret scanners often treat a container image as a flat blob or depend on a local Docker daemon. This project is designed around OCI image internals
The Open Container Initiative is an open governance structure for the express purpose of creating open industry standards around container formats and runtimes.
Established in June 2015 by Docker and other leaders in the container industry, the OCI currently contains three specifications: the Runtime Specification (runtime-spec), the Image Specification (image-spec) and the Distribution Specification (distribution-spec). The Runtime Specification outlines how to run a “filesystem bundle” that is unpacked on disk. At a high-level an OCI implementation would download an OCI Image then unpack that image into an OCI Runtime filesystem bundle. At this point the OCI Runtime Bundle would be run by an OCI Runtime.
Related contents:
Fast container image distribution plugin with lazy pulling .
Pulling image is one of the time-consuming steps in the container lifecycle. Research shows that time to take for pull operation accounts for 76% of container startup time[FAST '16]. Stargz Snapshotter is an implementation of snapshotter which aims to solve this problem by lazy pulling. Lazy pulling here means a container can run without waiting for the pull completion of the image and necessary chunks of the image are fetched on-demand.
Related contents:
Lightweight Container Runtime for Kubernetes.
Open Container Initiative-based implementation of Kubernetes Container Runtime Interface. CRI-O follows the Kubernetes release cycles with respect to its minor versions (1.x.y). Patch releases (1.x.z) for Kubernetes are not in sync with those from CRI-O, because they are scheduled for each month, whereas CRI-O provides them only if necessary. If a Kubernetes release goes End of Life, then the corresponding CRI-O version can be considered in the same way.
Related contents:
Acceleration Framework For Cloud-Native Distribution.
the Dragonfly image service, providing fast, secure and easy access to container images. Nydus implements a content-addressable file system on the RAFS format, which enhances the current OCI image specification by improving container launch speed, image space and network bandwidth efficiency, and data integrity.
Related contents:
Publish and install private python packages using OCI/docker registries.
Docker Registry UI.
A simple, lightweight UI for exploring and managing Docker/OCI container registries.
RamaLama strives to make working with AI simple, straightforward, and familiar by using OCI containers.
RamaLama is an open-source developer tool that simplifies the local serving of AI models from any source and facilitates their use for inference in production, all through the familiar language of containers.
Related contents:
Stateless cluster local OCI registry mirror.
Speed up container pulls and minimize downtime with a stateless peer-to-peer OCI registry mirror for efficient image distribution.
Related contents:
A scale-out production-ready vendor-neutral OCI-native container image/artifact registry (purely based on OCI Distribution Specification)
Simple, secure, and reproducible packaging for AI/ML projects.
KitOps is an open source DevOps tool that packages and versions your AI/ML model, datasets, code, and configuration into a reproducible artifact called a ModelKit. ModelKits are built on existing standards, ensuring compatibility with the tools your data scientists and developers already use.
A Deployment Pipeline Framework That Sticks.
A framework for orchestrating and introspecting delivery pipelines. Integrates with directly with Git, OCI and more (to come). Optional user interface for pipeline introspection and manipulation.
Glu is a framework built to help manage and coordinate multi-environment deployments using configuration stored in Git.
Boot and upgrade via container images.
Transactional, in-place operating system updates using OCI/Docker container images. bootc is the key component in a broader mission of bootable containers.
The original Docker container model of using "layers" to model applications has been extremely successful. This project aims to apply the same technique for bootable host systems - using standard OCI/Docker containers as a transport and delivery format for base operating system updates.
The Registry is a stateless, highly scalable server side application that stores and lets you distribute container images and other content.
This repository's main product is the Open Source Registry implementation for storing and distributing container images and other content using the OCI Distribution Specification. The goal of this project is to provide a simple, secure, and scalable base for building a large scale registry solution or running a simple private registry. It is a core library for many registry operators including Docker Hub, GitHub Container Registry, GitLab Container Registry and DigitalOcean Container Registry, as well as the CNCF Harbor Project, and VMware Harbor Registry.
Related contents:
Code signing and transparency for containers and binaries. Signing OCI containers (and other artifacts) using Sigstore! Cosign aims to make signatures invisible infrastructure.
Related contents:
An OCI base image of Fedora CoreOS with batteries included.
uCore is an OCI image of Fedora CoreOS with "batteries included". More specifically, it's an opinionated, custom CoreOS image, built daily with some common tools added in. The idea is to make a lightweight server image including commonly used services or the building blocks to host them.
PuzzleFS is a next-generation container filesystem.
Puzzlefs is a container filesystem designed to address the limitations of the existing OCI format. The main goals of the project are reduced duplication, reproducible image builds, direct mounting support and memory safety guarantees, some inspired by the OCIv2 design document.
transform your application source code into images that can run on any cloud.
Your app, in your favorite language, ready to run in the cloud.
Buildpacks transform your application source code into container images. The Paketo open source project provides production-ready buildpacks for the most popular languages and frameworks.
Supply-chain Levels for Software Artifacts, or SLSA ("salsa").
SLSA is a specification for describing and incrementally improving supply chain security, established by industry consensus. It is organized into a series of levels that describe increasing security guarantees.
It’s a security framework, a checklist of standards and controls to prevent tampering, improve integrity, and secure packages and infrastructure. It’s how you get from "safe enough" to being as resilient as possible, at any link in the chain.
Related contents:
ORAS works similarly to docker. It allows you to push (upload) and pull (download) things to and from an OCI Registry, and also handles login (authentication) and token flow (authorization). What ORAS does differently is shift the focus from container images to other types of artifacts.
Related contents:
The smallest PaaS implementation you've ever seen. An open source PAAS alternative to Heroku. Dokku helps you build and manage the lifecycle of applications from building to scaling.
Related contents: