Implementors

This page contains a list of projects leveraging ORAS, as well as registries that are known to support OCI Artifacts.

Would like your registry and/or project listed here? Please submit a PR. We're happy to promote all usage, as well as provide feedback.

Projects using ORAS

• Helm
• Singularity
• falcoctl
• policy
• wasm-to-oci
• conftest
• notation
• awslabs/soci-snapshotter

Registries supporting OCI Artifacts

• CNCF Distribution - local/offline verification
• Azure Container Registry
• Amazon Elastic Container Registry
• Google Artifact Registry
• GitHub Packages container registry
• Bundle Bar
• Docker Hub
• Zot Registry

CNCF Distribution

https://github.com/distribution/distribution version 2.7+

CNCF Distribution is a reference implementation of the OCI distribution-spec. Running distribution locally, as a container, provides local/offline verification of ORAS and OCI Artifacts.

Using a local, unauthenticated container registry

Run the docker registry image locally:

docker run -it --rm -p 5000:5000 registry

This will start a distribution server at localhost:5000 (with wide-open access and no persistence outside of the container).

Using Docker Registry with authentication

• Create a valid htpasswd file (must use -B for bcrypt):

htpasswd -cB -b auth.htpasswd myuser mypass

• Start a registry using the password file for authentication:

docker run -it --rm -p 5000:5000 \
    -v $(pwd)/auth.htpasswd:/etc/docker/registry/auth.htpasswd \
    -e REGISTRY_AUTH="{htpasswd: {realm: localhost, path: /etc/docker/registry/auth.htpasswd}}" \
    registry

• In a new window, login with oras:

oras login -u myuser -p mypass localhost:5000

You will notice a new entry for localhost:5000 appear in ~/.docker/config.json.

To remove the entry from the credentials file, use oras logout:

oras logout localhost:5000

Using an insecure Docker registry

To login to the registry without a certificate, a self-signed certificate, or an unencrypted HTTP connection Docker registry, oras supports the --insecure flag.

• Create a valid htpasswd file (must use -B for bcrypt):

htpasswd -cB -b auth.htpasswd myuser mypass

• Generate your self-signed certificates:

$ mkdir -p certs
$ openssl req \
  -newkey rsa:4096 -nodes -sha256 -keyout certs/domain.key \
  -x509 -days 365 -out certs/domain.crt

• Start a registry using that file for auth and listen the 0.0.0.0 address:

docker run -it --rm -p 5000:5000 \
    -v `pwd`/certs:/certs \
    -v $(pwd)/auth.htpasswd:/etc/docker/registry/auth.htpasswd \
    -e REGISTRY_AUTH="{htpasswd: {realm: localhost, path: /etc/docker/registry/auth.htpasswd}}" \
    -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
    -e REGISTRY_HTTP_TLS_CERTIFICATE=/certs/domain.crt \
    -e REGISTRY_HTTP_TLS_KEY=/certs/domain.key \
    registry

• In a new window, login with oras using the ip address not localhost:

oras login -u myuser -p mypass --insecure <registry-ip>:5000

You will notice a new entry for <registry-ip>:5000 appear in ~/.docker/config.json.

Then you can pull files from the registry or push files to the registry.

• To push single file to this registry:

oras push <registry-ip>:5000/library/hello:latest hi.txt --insecure

• To pull files from this registry:

oras pull <registry-ip>:5000/library/hello:latest --insecure

• To remove the entry from the credentials file, use oras logout:

oras logout <registry-ip>:5000

Using a plain HTTP Docker registry

To pull or push the HTTP Docker registry. oras support --plain-http flag to pull or push.

The --plain-http flag mean that you want to use http instead of https to connect the Docker registry.

• Create a valid htpasswd file (must use -B for bcrypt):

htpasswd -cB -b auth.htpasswd myuser mypass

• Start a registry using that file for auth and listen the 0.0.0.0 address:

docker run -it --rm -p 5000:5000 \
  -v $(pwd)/auth.htpasswd:/etc/docker/registry/auth.htpasswd \
  -e REGISTRY_AUTH="{htpasswd: {realm: localhost, path: /etc/docker/registry/auth.htpasswd}}" \
  -e REGISTRY_HTTP_ADDR=0.0.0.0:5000 \
  registry

• In a new window, login with oras using the ip address not localhost:

oras login -u myuser -p mypass --insecure <registry-ip>:5000

You will notice a new entry for <registry-ip>:5000 appear in ~/.docker/config.json.

Then you can pull files from the registry or push files to the registry.

• To push single file to this registry:

oras push <registry-ip>:5000/library/hello:latest hi.txt --plain-http

• To pull files from this registry:

oras pull <registry-ip>:5000/library/hello:latest --plain-http

• To remove the entry from the credentials file, use oras logout:

oras logout <registry-ip>:5000

Amazon Elastic Container Registry (ECR)

ECR Artifact Blog Post: https://aws.amazon.com/blogs/containers/oci-artifact-support-in-amazon-ecr/

• Authenticating with ECR using the AWS CLI

  aws ecr get-login-password --region $AWS_REGION --profile $PROFILE | oras login \
      --password-stdin \
      --username AWS \
      "${AWS_ACCOUNT_ID}.dkr.ecr.${AWS_REGION}.amazonaws.com"
  

• Pushing Artifacts to ECR

oras push $REPO_URI:1.0 \
    --artifact-type application/vnd.unknown.config.v1+json \
    ./artifact.txt:application/vnd.unknown.layer.v1+txt

• Pulling Artifacts from ECR

oras pull $REPO_URI:1.0

Azure Container Registry (ACR)

ACR Artifact Documentation: aka.ms/acr/artifacts

• Authenticating with ACR using Service Principals

oras login myregistry.azurecr.io --username $SP_APP_ID --password $SP_PASSWD

• Authenticating with ACR using AAD credentials and the az cli

az login
az acr login --name myregistry

• Pushing Artifacts to ACR

oras push myregistry.azurecr.io/samples/artifact:1.0 \
    --artifact-type application/vnd.unknown.config.v1+json \
    ./artifact.txt:application/vnd.unknown.layer.v1+txt

• Pulling Artifacts from ACR

oras pull myregistry.azurecr.io/samples/artifact:1.0

Google Artifact Registry (GAR)

• Authenticating with GAR using the gcloud command-line tool

gcloud auth configure-docker ${REGION}-docker.pkg.dev

• Pushing Artifacts to GAR

oras push ${REGION}-docker.pkg.dev/${GCP_PROJECT}/samples/artifact:1.0 \
  ./artifact.txt:application/vnd.unknown.layer.v1+txt

• Pulling Artifacts from GAR

oras pull ${REGION}-docker.pkg.dev/${GCP_PROJECT}/samples/artifact:1.0

GitHub Packages container registry (GHCR)

• Authenticating with GHCR

echo $GITHUB_PAT | oras login ghcr.io -u GITHUB_USERNAME --password-stdin

• Pushing Artifacts to GHCR

oras push ghcr.io/${GITHUB_OWNER}/samples/artifact:1.0 \
  ./artifact.txt:application/vnd.unknown.layer.v1+txt

• Pulling Artifacts from GHCR

oras pull ghcr.io/${GITHUB_OWNER}/samples/artifact:1.0

Bundle Bar

• Authenticating with Bundle Bar

echo $BB_TOKEN | oras login bundle.bar -u $BB_USER --password-stdin

• Pushing Artifacts to Bundle Bar

oras push bundle.bar/u/${BB_USER}/samples/artifact:1.0 \
  ./artifact.txt:application/vnd.unknown.layer.v1+txt

• Pulling Artifacts from Bundle Bar

oras pull bundle.bar/u/${BB_USER}/samples/artifact:1.0

Docker Hub

• Authenticating with Docker Hub

echo $ACCESS_TOKEN | docker login -u $DH_USER --password-stdin

• Pushing Artifacts to Docker Hub

oras push docker.io/${DH_USER}/artifact:1.0 \
  ./artifact.txt:application/vnd.unknown.layer.v1+txt

• Pulling Artifacts from Docker Hub

oras pull docker.io/${DH_USER}/artifact:1.0

Zot Registry

• Authenticating with Zot Registry

echo $ZR_PASSWORD | oras login <registry-ip>:5000 -u $ZR_USER --password-stdin 

• Pushing Artifacts to Zot Registry

oras push --plain-http <registry-ip>:5000/hello-artifact:v2 \
      --config config.json:application/vnd.acme.rocket.config.v1+json \
      artifact.txt:text/plain -d -v

• Pulling Artifacts from Zot Registry

oras pull --plain-http <registry-ip>:5000/hello-artifact:v2 -d -v

---

Last update: February 19, 2023