diff --git a/release/Makefile b/release/Makefile
--- a/release/Makefile
+++ b/release/Makefile
@@ -83,6 +83,9 @@
 .if !defined(NOSRC)
 DISTRIBUTIONS+= src.txz
 .endif
+.if defined(WITH_OCIIMAGES) && !empty(WITH_OCIIMAGES)
+DISTRIBUTIONS+= container-image-static.txz container-image-dynamic.txz container-image-minimal.txz
+.endif
 
 RELEASE_TARGETS= ftp
 IMAGES=
@@ -156,6 +159,20 @@
 	    --exclude 'usr/ports/INDEX*' --exclude work usr/ports | \
 	    ${XZ_CMD} > ${.OBJDIR}/ports.txz )
 
+.if defined(WITH_OCIIMAGES) && !empty(WITH_OCIIMAGES)
+oci-images:
+	sh ${.CURDIR}/scripts/make-oci-images.sh ${REVISION} ${BRANCH} ${TARGET_ARCH}
+
+.for _IMG in static dynamic minimal
+container-image-${_IMG}.txz: oci-images
+	skopeo copy \
+		containers-storage:localhost/freebsd${REVISION:R}-${_IMG}:latest \
+		oci-archive:${.OBJDIR}/container-image-${_IMG}.tar:freebsd${REVISION:R}-${_IMG}:${REVISION}-${BRANCH}-${TARGET_ARCH}
+	${XZ_CMD} < ${.OBJDIR}/container-image-${_IMG}.tar > ${.OBJDIR}/container-image-${_IMG}.txz
+.endfor
+
+.endif
+
 disc1: packagesystem
 # Install system
 	mkdir -p ${.TARGET}
diff --git a/release/release.conf.sample b/release/release.conf.sample
--- a/release/release.conf.sample
+++ b/release/release.conf.sample
@@ -114,3 +114,7 @@
 ## If WITH_CLOUDWARE is set to a non-empty value, this is a list of providers
 ## to create disk images.
 #CLOUDWARE="EC2 GCE OCI VAGRANT-VIRTUALBOX VAGRANT-VMWARE"
+
+## If WITH_OCIIMAGES is set to a non-empty value, build Open Container
+## Initiative (ICO) base images as part of the release.
+#WITH_OCIIMAGES=
diff --git a/release/release.sh b/release/release.sh
--- a/release/release.sh
+++ b/release/release.sh
@@ -120,6 +120,9 @@
 	# cloud providers as part of the release.
 	WITH_CLOUDWARE=
 
+	# Set to non-empty to build OCI images as part of the release
+	WITH_OCIIMAGES=
+
 	return 0
 } # env_setup()
 
@@ -288,6 +291,42 @@
 		fi
 	fi
 
+	if [ ! -z "${WITH_OCIIMAGES}" ]; then
+		# Install buildah and skopeo from ports if the ports tree is available;
+		# otherwise install the pkg.
+		if [ -d ${CHROOTDIR}/usr/ports ]; then
+			# Trick the ports 'run-autotools-fixup' target to do the right
+			# thing.
+			_OSVERSION=$(chroot ${CHROOTDIR} /usr/bin/uname -U)
+			REVISION=$(chroot ${CHROOTDIR} make -C /usr/src/release -V REVISION)
+			BRANCH=$(chroot ${CHROOTDIR} make -C /usr/src/release -V BRANCH)
+			UNAME_r=${REVISION}-${BRANCH}
+			GITUNSETOPTS="CONTRIB CURL CVS GITWEB GUI HTMLDOCS"
+			GITUNSETOPTS="${GITUNSETOPTS} ICONV NLS P4 PERL"
+			GITUNSETOPTS="${GITUNSETOPTS} SEND_EMAIL SUBTREE SVN"
+			GITUNSETOPTS="${GITUNSETOPTS} PCRE PCRE2"
+			PBUILD_FLAGS="OSVERSION=${_OSVERSION} BATCH=yes"
+			PBUILD_FLAGS="${PBUILD_FLAGS} UNAME_r=${UNAME_r}"
+			PBUILD_FLAGS="${PBUILD_FLAGS} OSREL=${REVISION}"
+			PBUILD_FLAGS="${PBUILD_FLAGS} WRKDIRPREFIX=/tmp/ports"
+			PBUILD_FLAGS="${PBUILD_FLAGS} DISTDIR=/tmp/distfiles"
+			for _PORT in sysutils/buildah sysutils/skopeo; do
+				eval chroot ${CHROOTDIR} env ${PBUILD_FLAGS} make -C \
+				     /usr/ports/${_PORT} \
+				     FORCE_PKG_REGISTER=1 deinstall install clean distclean
+			done
+		else
+			eval chroot ${CHROOTDIR} env ASSUME_ALWAYS_YES=yes \
+				pkg install -y sysutils/buildah sysutils/skopeo
+			eval chroot ${CHROOTDIR} env ASSUME_ALWAYS_YES=yes \
+				pkg clean -y
+		fi
+		# Use the vfs storage driver so that this works whether or not
+		# the build directory is on ZFS. The images are small so the
+		# performance difference is negligible.
+		eval chroot ${CHROOTDIR} sed -I .bak -e '/^driver/s/zfs/vfs/' /usr/local/etc/containers/storage.conf
+	fi
+
 	if [ ! -z "${EMBEDDEDPORTS}" ]; then
 		_OSVERSION=$(chroot ${CHROOTDIR} /usr/bin/uname -U)
 		REVISION=$(chroot ${CHROOTDIR} make -C /usr/src/release -V REVISION)
@@ -323,6 +362,9 @@
 	fi
 	eval chroot ${CHROOTDIR} make -C /usr/src ${RELEASE_WMAKEFLAGS} buildworld
 	eval chroot ${CHROOTDIR} make -C /usr/src ${RELEASE_KMAKEFLAGS} buildkernel
+	if [ ! -z "${WITH_OCIIMAGES}" ]; then
+		eval chroot ${CHROOTDIR} make -C /usr/src ${RELEASE_WMAKEFLAGS} packages
+	fi
 
 	return 0
 } # chroot_build_target
@@ -343,7 +385,8 @@
 			VMFORMATS=\"${VMFORMATS}\" VMSIZE=${VMSIZE}"
 	fi
 	eval chroot ${CHROOTDIR} make -C /usr/src/release \
-		${RELEASE_RMAKEFLAGS} release
+		${RELEASE_RMAKEFLAGS} release \
+		WITH_OCIIMAGES=${WITH_OCIIMAGES}
 	eval chroot ${CHROOTDIR} make -C /usr/src/release \
 		${RELEASE_RMAKEFLAGS} install DESTDIR=/R \
 		WITH_COMPRESSED_IMAGES=${WITH_COMPRESSED_IMAGES} \
diff --git a/release/scripts/make-manifest.sh b/release/scripts/make-manifest.sh
--- a/release/scripts/make-manifest.sh
+++ b/release/scripts/make-manifest.sh
@@ -14,6 +14,9 @@
 src="System source tree"
 lib32="32-bit compatibility libraries"
 tests="Test suite"
+oci_static="OCI base image for static-linked workloads"
+oci_dynamic="OCI base image for dynamic-linked workloads"
+oci_minimal="OCI base image for minimal shell workloads"
 
 desc_base="${base} (MANDATORY)"
 desc_base_dbg="${base} (Debugging)"
@@ -26,6 +29,9 @@
 desc_ports="${ports}"
 desc_src="${src}"
 desc_tests="${tests}"
+desc_oci_static="${oci_static} (Optional)"
+desc_oci_dynamic="${oci_dynamic} (Optional)"
+desc_oci_minimal="${oci_minimal} (Optional)"
 
 default_src=off
 default_ports=off
@@ -35,6 +41,9 @@
 default_kernel_alt=off
 default_kernel_dbg=on
 default_kernel_alt_dbg=off
+default_oci_static=off
+default_oci_dynamic=off
+default_oci_minimal=off
 
 for i in ${*}; do
 	dist="${i}"
diff --git a/release/scripts/make-oci-images.sh b/release/scripts/make-oci-images.sh
new file mode 100644
--- /dev/null
+++ b/release/scripts/make-oci-images.sh
@@ -0,0 +1,106 @@
+#! /bin/sh
+
+# Build Open Container Initiative (OCI) container images.
+#
+# Three images are built:
+#
+# - static which contains mtree directories, SSL certificates and a few other
+#   config files
+# - dynamic which adds some dynamic libs on top of static
+# - minimal which adds FreeBSD-runtime to support minimal shell workloads
+
+buildah rmi -af
+
+rev=$1; shift
+branch=$1; shift
+arch=$1; shift
+
+major=${rev%.*}
+minor=${rev#*.}
+
+abi=FreeBSD:${major}:${arch}
+
+echo "Building OCI images for ${abi}"
+
+workdir=$(mktemp -d -t oci-images)
+
+mkdir ${workdir}/repos
+cat > ${workdir}/repos/base.conf <<EOF
+FreeBSD-base: {
+  url: "file:///usr/obj/usr/src/repo/${abi}/latest"
+  signature_type: "none"
+  fingerprints: "none"
+}
+EOF
+cp /etc/pkg/FreeBSD.conf ${workdir}/repos
+
+install_packages() {
+	local workdir=$1; shift
+	local rootdir=$1; shift
+	if [ ! -d ${rootdir}/usr/share/keys/pkg/trusted ]; then
+		mkdir -p ${rootdir}/usr/share/keys/pkg/trusted
+	fi
+	cp /usr/share/keys/pkg/trusted/* ${rootdir}/usr/share/keys/pkg/trusted
+	# We install the packages and then remote repository metadata (keeping the
+	# metadata for what was installed). This trims more than 40Mb from the
+	# resulting image.
+	env IGNORE_OSVERSION=yes ABI=${abi} pkg --rootdir ${rootdir} --repo-conf-dir ${workdir}/repos \
+		install -yq "$@" || exit $?
+	rm -rf ${rootdir}/var/db/pkg/repos
+}
+
+c=$(buildah from scratch)
+m=$(buildah mount $c)
+mtree -deU -p $m/ -f /etc/mtree/BSD.root.dist > /dev/null
+mtree -deU -p $m/var -f /etc/mtree/BSD.var.dist > /dev/null
+mtree -deU -p $m/usr -f /etc/mtree/BSD.usr.dist > /dev/null
+mtree -deU -p $m/usr/include -f /etc/mtree/BSD.include.dist > /dev/null
+mtree -deU -p $m/usr/lib -f /etc/mtree/BSD.debug.dist > /dev/null
+install_packages ${workdir} $m FreeBSD-caroot FreeBSD-zoneinfo
+cp /etc/master.passwd $m/etc
+pwd_mkdb -p -d $m/etc $m/etc/master.passwd || return $?
+cp /etc/group $m/etc || return $?
+cp /etc/termcap.small $m/etc/termcap.small || return $?
+cp /etc/termcap.small $m/usr/share/misc/termcap || return $?
+env DESTDIR=$m /usr/sbin/certctl rehash
+# Generate a suitable repo config for pkgbase
+case ${branch} in
+	CURRENT|STABLE|BETA*)
+		repo=base_latest
+		;;
+	*)
+		repo=base_release_${minor}
+		;;
+esac
+mkdir -p $m/usr/local/etc/pkg/repos
+cat > $m/usr/local/etc/pkg/repos/base.conf <<EOF
+FreeBSD-base: {
+  url: "https://pkg.FreeBSD.org/\${ABI}/${repo}",
+  mirror_type: "srv",
+  signature_type: "fingerprints",
+  fingerprints: "/usr/share/keys/pkg",
+  enabled: yes
+}
+EOF
+buildah unmount $c
+buildah commit --rm $c freebsd${major}-static:latest
+
+c=$(buildah from freebsd${major}-static)
+m=$(buildah mount $c)
+install_packages ${workdir} $m FreeBSD-clibs FreeBSD-openssl-lib
+buildah unmount $c
+buildah commit --rm $c freebsd${major}-dynamic:latest
+
+c=$(buildah from freebsd${major}-dynamic)
+m=$(buildah mount $c)
+install_packages ${workdir} $m \
+	FreeBSD-runtime \
+	FreeBSD-certctl \
+	FreeBSD-kerberos-lib \
+	FreeBSD-libexecinfo \
+	FreeBSD-rc \
+	FreeBSD-pkg-bootstrap \
+	FreeBSD-mtree
+buildah unmount $c
+buildah config --cmd /bin/sh $c
+buildah commit --rm $c freebsd${major}-minimal:latest
diff --git a/share/examples/Makefile b/share/examples/Makefile
--- a/share/examples/Makefile
+++ b/share/examples/Makefile
@@ -21,6 +21,7 @@
 	libvgl \
 	mdoc \
 	netgraph \
+	oci \
 	perfmon \
 	ppi \
 	ppp \
@@ -199,6 +200,11 @@
 	virtual.chain \
 	virtual.lan \
 
+SE_DIRS+=	oci
+SE_OCI= \
+	README \
+	Containerfile.pkg
+
 SE_DIRS+=	perfmon
 SE_PERFMON= \
 	Makefile \
diff --git a/share/examples/oci/Containerfile.pkg b/share/examples/oci/Containerfile.pkg
new file mode 100644
--- /dev/null
+++ b/share/examples/oci/Containerfile.pkg
@@ -0,0 +1,27 @@
+# This is an example showing how to extend the freebsd-minimal OCI image by
+# install additional packages while keeping the resulting image as small as
+# possible.
+
+# The OS version matching the desired freebsd-minimal image
+ARG version=15.0-CURRENT-amd64
+
+# Select freebsd-minimal as our starting point.
+FROM localhost/freebsd-minimal:${version}
+
+# A list of package(s) to install
+ARG packages
+
+# Install package management tools. We specify 'FreeBSD' as the repository to
+# use for downloading pkg since the freebsd-minimal image has both FreeBSD and
+# FreeBSD-base pkg repo configs installed and FreeBSD-base does not contain the
+# pkg package.
+RUN env ASSUME_ALWAYS_YES=yes pkg bootstrap -r FreeBSD && pkg update
+
+# Install some package(s).
+RUN pkg install -y ${packages}
+
+# Clean up and remove package management overhead. We delete downloaded
+# packages, uninstall pkg and delete the repository metadata downloaded by 'pkg
+# install'.  This retains the record of which packages are installed in the
+# image.
+RUN pkg clean -ay && pkg delete -fy pkg && rm -rf /var/db/pkg/repos
diff --git a/share/examples/oci/README b/share/examples/oci/README
new file mode 100644
--- /dev/null
+++ b/share/examples/oci/README
@@ -0,0 +1,7 @@
+This example Containerfile shows how to add packages to freebsd-minimal while
+minimising the package metadata overhead.
+
+For instance, To build a new image called 'my-new-image:latest' containing the
+nginx package:
+
+# podman build --squash --build-arg packages=nginx --tag my-new-image:latest -f Containerfile.pkg
diff --git a/share/man/man7/release.7 b/share/man/man7/release.7
--- a/share/man/man7/release.7
+++ b/share/man/man7/release.7
@@ -22,7 +22,7 @@
 .\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 .\" SUCH DAMAGE.
 .\"
-.Dd August 6, 2023
+.Dd September 26, 2024
 .Dt RELEASE 7
 .Os
 .Sh NAME
@@ -150,7 +150,7 @@
 .Xr git 1
 host used to check out the various trees.
 Defaults to
-.Pa https://git.FreeeBSD.org .
+.Pa https://git.FreeBSD.org .
 .It Va SRCBRANCH
 The
 .Li src/
@@ -443,6 +443,18 @@
 cd /usr/src
 make -C release list-cloudware
 .Ed
+.Sh OCI IMAGES
+The
+.Fx
+release build tools have experimental support for building
+Open Container Initiative (OCI) format container base images.
+This is enabled using a
+.Fa release.conf
+variable:
+.Bl -tag -width Ev
+.It Va WITH_OCIIMAGES
+Set to a non-null value to build OCI base images.
+.El
 .Sh MAKEFILE TARGETS
 The release makefile
 .Pq Pa src/release/Makefile