gnoci

gnoci is a command-line tool for building OCI container images from a simple TOML configuration file.

Features

Builds OCI images quickly using a simple, declarative config file.

Images only contain:

the specified files
their dynamic library dependencies
any relevant OS package metadata/license files for Trivy/Syft integration (RPM/debian-based distros only)

Usage

$ gnoci --help
Small OCI image builder

Usage: gnoci [OPTIONS] <PATH>

Arguments:
  <PATH>  Output OCI image directory path

Options:
  -t, --tag <TAG>      Optional tag for the image
  -f, --file <FILE>    Config file [default: gnoci.toml]
      --label <LABEL>  Labels to apply to the image, as KEY=VALUE strings
  -h, --help           Print help
  -V, --version        Print version

Example

gnoci -t v1 -f custom.toml ./output-dir

This builds an OCI image using custom.toml and writes it to the OCI image directory (which is created if it doesn't exist) ./output-dir with the tag v1.

Configuration

The config file (default: gnoci.toml) is written in TOML and supports the following structure:

# gnoci.toml
# Image configuration fields
cmd = ["/usr/bin/myapp"]
# ...other image configuration fields... 

[[entries]]
source = "bin/myapp"
target = "/usr/bin/myapp"
mode = 0o755       # optional
uid = 1001         # optional
gid = 1001         # optional

Scanning tool integration

When building an image on an RPM-based distro, gnoci will automatically generate an RPM manifest at
/var/lib/rpmmanifest/container-manifest-2 inside the image layer (if rpm is available on the host).
This will list any packages that own files included in the image.
This enables vulnerability and package scanning with tools like Trivy and Syft, which can detect and report installed RPM packages based on this manifest.

For debian based distros, dpkg status files are created for any packages whose files were included in the image.