Skip to content

Summary of Key Features

  • Conforms to OCI distribution spec APIs
  • Uses OCI image layout for image storage
    • Can serve any OCI image layout as a registry
  • Single binary for all the features
  • Doesn't require root privileges
  • Clear separation between core dist-spec and zot-specific extensions
  • Supports container image signatures - cosign and notation
  • Supports helm charts
  • Behavior controlled via configuration
  • Binaries released for multiple os/arch
  • Supports advanced image queries using search extension
  • Supports image deletion by tag
  • Currently suitable for on-prem deployments (e.g. colocated with Kubernetes)
  • Compatible with ecosystem tools such as skopeo and cri-o
  • Vulnerability scanning of images
  • TLS support
  • Authentication via:
    • TLS mutual authentication
    • HTTP Basic (local htpasswd and LDAP)
    • HTTP Bearer token
  • Supports Identity-Based Access Control
  • Supports live modifications on the config file while zot is running (Authorization config only)
  • Inline storage optimizations:
    • Automatic garbage collection of orphaned blobs
    • Layer deduplication using hard links when content is identical
    • Data scrubbing
  • Serve multiple storage paths (and backends) using a single zot server
  • Pull and synchronize from other dist-spec conformant registries
  • Supports ratelimiting including per HTTP method
  • Metrics with Prometheus
    • Using a node exporter in case of minimal zot
  • Swagger based documentation
  • zli: command-line client support
  • zb: a benchmarking tool for dist-spec conformant registries
  • Released under Apache 2.0 License
Last update: September 1, 2023