A production-ready, vendor-neutral OCI registry that stores images and artifacts in open standards, scans them for vulnerabilities, verifies their signatures, and fits anywhere from a cloud cluster to an embedded device.

Welcome to zot: A Vendor-Neutral OCI Registry.

Every container image you run has to live somewhere, and that somewhere is a registry. zot is a CNCF sandbox project that takes a deliberately minimal, standards-first approach to the job: it is built purely on the OCI Distribution Specification and the OCI Image Format, stores everything on disk as an OCI image layout, and ships as a single Go binary small enough to run on a laptop, a CI runner, or an edge gateway. Around that strict core it adds the features a modern registry needs — full-text and GraphQL search, embedded Trivy CVE scanning, cosign and notation signature verification, sync and mirroring from upstream registries, pluggable local or S3 storage with deduplication and garbage collection, flexible authentication and fine-grained authorization, and a web UI — all as optional, compile-time extensions. This book walks through zot from the ground up: what an OCI registry actually is and why standards matter, how zot lays bytes out on disk, its single-binary architecture, the storage backends, authentication and access control, sync mirroring, the search and CVE-scanning extensions, supply-chain trust with signatures and referrers, and finally how to run zot well in practice. Along the way we use real configuration keys, real zli commands, and the real extension names so that what you learn maps directly onto a running registry.

This title is part of the ShriIra library and is free to read in full, right here — our small contribution to making world-class knowledge easy to reach.

A note on reading it: open the Contents menu at the top of the reader to jump between chapters, use the Aa menu to set a comfortable text size, theme (light, sepia, or night), and single- or two-page layout. Your place is saved automatically, so you can always pick up where you left off.

We hope it serves you well.

— Shriira Press

Contents

1. Chapter 1 — The Registry Problem
2. Chapter 2 — Built on OCI Standards
3. Chapter 3 — Architecture and the Single Binary
4. Chapter 4 — Storage: Local, S3, Dedupe, and GC
5. Chapter 5 — Authentication and Authorization
6. Chapter 6 — Sync and Mirroring
7. Chapter 7 — Search, CVE Scanning, and the UI
8. Chapter 8 — Supply-Chain Trust
9. Chapter 9 — zot in Practice