Azure Container Registry (ACR) now has support for the OCI v1.1-RC Specifications. The update continues the journey of standardizing OCI Distribution-based registries to store, discover and distribute all types of artifacts, including adding references to existing images and other OCI artifacts.
It started 4 years ago when ACR added support for Helm Chart distribution using the existing registry services users have already configured for their secure environments. We knew Helm adoption would require support across all registries which initiated the OCI Artifacts and ORAS projects.
As supply chain initiatives drove the need for distributing detached signatures for container images and signed Software Bill of Materials (SBOM), reference types were needed to add information to the registry, without mutating the existing content. The new addition to OCI Artifacts is the OCI Artifact Manifest which supports signatures, SBOM, provenance, attestations, and other references, creating a graph of artifacts that can be tracked together or pulled independently. The manifest, along with a new referrers discovery API are key enhancements to the OCI v1.1 Specifications.
We’re happy to announce that ACR is the first cloud registry to support the new OCI v1.1 Specifications!
What is the OCI standard and why is it important?
The Open Container Initiative (OCI) is an open governance organization facilitating vendor-neutral specifications for packaging filesystem bundles and how to make packaged content addressable and accessible.
OCI has two related specifications, namely Image spec and Distribution spec which are vendor-neutral industry standards. The Image spec outlines how to create OCI images, and the Distribution spec defines how to make content distribution interoperable. The OCI Artifacts project defines how the Image and distribution specs can be generalized to store, discover, and distribute any arbitrary content, enabling a vast ecosystem of projects that don’t have to create yet another package manager to distribute their artifacts.
Whether you deploy container images, or Web Assemblies, evolving secure supply chain processes require signatures, SBOMs, and scan results to be distributed with their subject artifacts.
Just a few years ago, there were no standards nor tooling for registries to natively store, discover, and pull a graph of OCI artifacts. To extend the registry’s role and form the industry standard, members of the ACR team proposed a new artifact manifest type to describe and query relationships between objects stored in a registry, without mutating the existing content.
Initially, the reference types work was incubated under the CNCF ORAS Artifact manifest project, with it recently being contributed to the OCI Image and Distribution v1.1 Specifications. Today, we’re happy to announce ACR is the first cloud registry to implement the new OCI standard, providing a developer-friendly experience on Azure.
Why adopt the OCI Artifact Manifest?
In 2021, the US government highlighted the importance of software supply chain security with two executive orders: supply chains and cybersecurity. Many companies around the world are following their requirements. As a result, ensuring the integrity and ability to deliver and track the lifecycle of all the related security artifacts alongside their container images is core to our customer needs. By storing the supply chain supporting artifacts in the same registry service as the container images, users can benefit from features like geo-replication, availability zones, virtual networks, role-based access control, and all the other security, performance and reliability features customers require for their development and production environments.
Like OCI container images, the OCI Artifact manifest can be referenced by the hash of their manifest. Artifact references enable the discovery of the detached signature or the SBOM for the container image. References provide lifecycle management, assuring the signatures, SBOMs, provenance & attestations, and scan results are archived or deleted as the images are archived and deleted. As users promote images within and across registries, the references can also be copied with a single command using tools like oras copy.
The OCI 1.1 Specifications enable users to manage the entire graph of supporting content with the same infrastructure and tools they use to manage their container images. And, all of this works for any root artifact you may store in a registry, including the evolving Web Assembly (WASM) efforts.
Empowering supply chain artifacts discovery and distribution
With the OCI artifact manifest support, ACR enables the following end-to-end workflow of delivering container-based software in the supply chain scenario. Developers sign images, and any other OCI Artifacts using tools like Notary v2. SBOMs are then attached using tools like oras attach. The container images, with their references published and stored in ACR.
In addition, the references maintain a lifecycle graph. When you delete the root artifact, the container image, the signatures, SBOMs, and scan results can all be deleted as well, assuring the registry isn’t filled with zombie artifacts.
With content promotion enabled by the OCI Specifications, users can easily copy a graph of OCI content across registries and repositories using tools like oras copy.
As shown in the following diagram, users can pull the images with associated supply chain artifacts from ACR. This enables supply chain artifacts to be validated with open-source projects like Notary v2 and Ratify. If the validation passed, the images can be deployed to Kubernetes.
Using ORAS CLI to distribute OCI artifacts across registries
How to easily distribute supply chain artifacts across registries? ORAS is an OCI registry client that enables users to distribute OCI artifacts to or across any OCI Distribution compatible registries. ORAS supports the OCI artifact manifest and provides backward compatibility to the OCI image manifest since v0.16.0. Below, you can see how the ORAS CLI distributes supply chain artifacts across registries.
Give OCI Artifact References a spin today
OCI Artifact Manifest is available now in public preview on Azure. Start your innovation journey with the emerging OCI standard in ACR as it helps you to safeguard your software supply chain and accelerate delivery. Follow this hands-on guide to take the first step of OCI Artifact Manifest storage and distribution with ACR now.
We appreciate any feedback or thoughts about this new feature in ACR via the feedback portal.