Docker image for ownCloud Infinite Scale (oCIS) — a modern file-sync and share platform.
Build & maintenance: see how these images are built, scanned, updated and published.
docker run --rm \
-p 9200:9200 \
-e OCIS_INSECURE=true \
owncloud/ocis:8.1.0| Tag | oCIS Version |
|---|---|
8.1.0, 8.1, 8 |
8.1.0 (latest stable) |
8.0.5, 8.0 |
8.0.5 |
<version>-YYYYMMDD |
Immutable per-build tag (e.g. 8.1.0-20260703) |
A daily build tracking the unreleased master branch of oCIS is published to
owncloud/ocis-rolling. It is built
every night at 02:00 UTC from the latest master commit.
Unstable: the rolling image contains unreleased code and is intended for testing against upcoming oCIS changes — not for production.
| Tag | Meaning |
|---|---|
latest |
The most recent daily build |
YYYYMMDD |
Immutable build for a specific day (e.g. 20260602) |
sha-<short> |
Build of a specific oCIS master commit (e.g. sha-a1b2c3d) |
docker pull owncloud/ocis-rolling:latest| Path | Purpose |
|---|---|
/var/lib/ocis |
Data directory |
/etc/ocis |
Configuration directory |
| Port | Protocol | Purpose |
|---|---|---|
9200 |
TCP | HTTPS gateway |
| ARG | Default | Purpose |
|---|---|---|
VERSION |
version-specific | oCIS git tag to clone and build (without v prefix, e.g. 8.0.1) |
GIT_REF |
v${VERSION} |
Git ref (branch or tag) to clone and build; overrides the default tag form to build a branch such as master |
GIT_SHA |
"" |
Optional exact commit to check out after cloning GIT_REF. Pins branch builds to a resolved commit and busts the clone-layer cache when it changes, keeping rolling builds fresh. Empty for release builds. |
REVISION |
"" |
Git SHA embedded in OCI labels |
TARGETARCH |
set by buildx | Target architecture (amd64, arm64) |
The image is built entirely from source via a three-stage Dockerfile:
node-builder — clones the oCIS git repository at v${VERSION}, builds the IDP React frontend (pnpm build) and downloads the web frontend assets (make pull-assets). Both are required at compile time because services/idp and services/web use //go:embed. The IDP pnpm build runs only when services/idp/package.json is present; newer oCIS master ("no-npm") commits the identifier assets directly and has no package.json, so the step is skipped automatically.
go-builder — compiles the oCIS binary with CGO and libvips enabled using the upstream Makefile target release-linux-docker-${TARGETARCH}. Outputs to dist/binaries/ocis-linux-${TARGETARCH}.
Runtime — minimal Alpine image with the binary copied from go-builder. The stage runs apk upgrade to refresh all installed OS packages to the latest available Alpine patch releases at build time, so security fixes are picked up immediately rather than waiting for a base-image tag bump.
To build locally:
docker buildx build \
--build-arg VERSION=8.0.1 \
--build-arg REVISION=$(git rev-parse HEAD) \
--platform linux/amd64 \
-f v8/Dockerfile.multiarch v8/The GitHub Actions workflow (.github/workflows/main.yml) builds and validates the image on every push, pull request, and weekly schedule.
Steps per release matrix entry:
- Build — multi-arch image (
linux/amd64,linux/arm64) pushed to an ephemeral local registry using BuildKit with GHA layer cache. - Trivy scan — scans for HIGH/CRITICAL CVEs; unfixable upstream CVEs are listed in
v8/.trivyignore. - Smoke test — starts the container, polls
https://localhost:9200/status.phpevery 2s for up to 62s, and verifies the.productversionfield in the JSON response matches the built tag. UsesOCIS_INSECURE=trueto allow self-signed TLS on the test runner. - Publish — pushes to Docker Hub with floating major/minor tags (on
masteronly).
See SUPPORT.md for the full list of support channels.
We welcome contributions! Please read the Contributing Guidelines and our Code of Conduct before getting started.
- Rebase Early, Rebase Often! We use a rebase workflow — rebase on the target branch before submitting a PR.
- Signed commits: All commits must be PGP/GPG signed and carry a DCO
Signed-off-byline (git commit -S -s). - Conventional Commits: PR titles must follow the Conventional Commits format — enforced by CI.
- GitHub Actions Policy: Workflows may only use actions owned by
owncloud, created by GitHub (actions/*), or verified in the GitHub Marketplace, pinned to a full commit SHA.
Note: bug reports and feature requests for oCIS itself belong upstream in
owncloud/ocis — this repository tracks only
the Docker packaging.
Do not open a public GitHub issue for security vulnerabilities.
Report vulnerabilities at https://security.owncloud.com — see SECURITY.md.
Bug bounty: YesWeHack ownCloud Program
The Kiteworks Open Source Program Office, operating under the ownCloud brand, launched on May 5, 2026, to steward the open source ecosystem around ownCloud's products. The OSPO ensures transparent governance, license compliance, community health, and sustainable collaboration between the open source community and Kiteworks, which acquired ownCloud in 2023.
- OSPO Home: https://kiteworks.com/opensource
- GitHub: https://github.com/owncloud
- ownCloud: https://owncloud.com
For questions about the OSPO or licensing, contact ospo@kiteworks.com.
This repository is licensed under the Apache License 2.0, which is the license the OSPO is adopting across the ecosystem. No relicensing is required.
Apache-2.0 — see LICENSE.