diff --git a/release/Makefile.oci b/release/Makefile.oci
index da35156c5a95..e4b5df580055 100644
--- a/release/Makefile.oci
+++ b/release/Makefile.oci
@@ -1,36 +1,32 @@
 #
 #
 #
 # Makefile for building OCI container images.
 #
 
 .if defined(WITH_OCIIMAGES) && !empty(WITH_OCIIMAGES)
 OCI_IMAGES= static dynamic minimal
 .endif
 
 oci-install:
 .if defined(WITH_OCIIMAGES) && !empty(WITH_OCIIMAGES)
 	mkdir -p ${DESTDIR}/ociimages
 . for _IMG in ${OCI_IMAGES}
 	cp -p ${.OBJDIR}/container-image-${_IMG}.txz ${DESTDIR}/ociimages
 . endfor
 .endif
 
 OCI_TARGETS=
 OCI_DEPS_static=
 OCI_DEPS_dynamic= container-image-static.txz
 OCI_DEPS_minimal= container-image-dynamic.txz
 
 .for _IMG in ${OCI_IMAGES}
 OCI_TARGETS+= container-image-${_IMG}.txz
 container-image-${_IMG}.txz: ${OCI_DEPS_${_IMG}}
 	# Adjust PATH so that we run pwd_mkdb from the bootstrap tools
 	env PATH=${OBJTOP}/tmp/legacy/bin:${PATH:Q} \
-	sh ${.CURDIR}/scripts/make-oci-image.sh ${.CURDIR} ${REVISION} ${BRANCH} ${TARGET_ARCH} ${_IMG}
-	skopeo copy \
-		containers-storage:localhost/freebsd${REVISION:R}-${_IMG}:latest \
-		oci-archive:${.OBJDIR}/container-image-${_IMG}.tar:freebsd${REVISION:R}-${_IMG}:${REVISION}-${BRANCH}-${TARGET_ARCH}
-	${XZ_CMD} < ${.OBJDIR}/container-image-${_IMG}.tar > ${.OBJDIR}/container-image-${_IMG}.txz
+	sh ${.CURDIR}/scripts/make-oci-image.sh ${.CURDIR} ${REVISION} ${BRANCH} ${TARGET_ARCH} ${_IMG} container-image-${_IMG}.txz
 .endfor
 
 oci-release: ${OCI_TARGETS}
diff --git a/release/release.sh b/release/release.sh
index d6752e016994..5a6de297f7a1 100755
--- a/release/release.sh
+++ b/release/release.sh
@@ -1,498 +1,460 @@
 #!/bin/sh
 #-
 # Copyright (c) 2020-2021 Rubicon Communications, LLC (netgate.com)
 # Copyright (c) 2013-2019 The FreeBSD Foundation
 # Copyright (c) 2013 Glen Barber
 # Copyright (c) 2011 Nathan Whitehorn
 # All rights reserved.
 #
 # Portions of this software were developed by Glen Barber
 # under sponsorship from the FreeBSD Foundation.
 #
 # Redistribution and use in source and binary forms, with or without
 # modification, are permitted provided that the following conditions
 # are met:
 # 1. Redistributions of source code must retain the above copyright
 #    notice, this list of conditions and the following disclaimer.
 # 2. Redistributions in binary form must reproduce the above copyright
 #    notice, this list of conditions and the following disclaimer in the
 #    documentation and/or other materials provided with the distribution.
 #
 # THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
 # ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 # IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 # ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 # FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 # DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 # OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 # HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 # LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 # OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 # SUCH DAMAGE.
 #
 # release.sh: check out source trees, and build release components with
 #  totally clean, fresh trees.
 # Based on release/generate-release.sh written by Nathan Whitehorn
 #
 
 export PATH="/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin"
 
 VERSION=3
 
 # Prototypes that can be redefined per-chroot or per-target.
 load_chroot_env() { }
 load_target_env() { }
 buildenv_setup() { }
 
 usage() {
 	echo "Usage: $0 [-c release.conf]"
 	exit 1
 }
 
 # env_setup(): Set up the default build environment variables, such as the
 # CHROOTDIR, VCSCMD, GITROOT, etc.  This is called before the release.conf
 # file is sourced, if '-c <release.conf>' is specified.
 env_setup() {
 	# The directory within which the release will be built.
 	CHROOTDIR="/scratch"
 	if [ -z "${RELENGDIR}" ]; then
 		export RELENGDIR="$(dirname $(realpath ${0}))"
 	fi
 
 	# The default version control system command to obtain the sources.
 	for _dir in /usr/bin /usr/local/bin; do
 		[ -x "${_dir}/git" ] && VCSCMD="/${_dir}/git"
 		[ ! -z "${VCSCMD}" ] && break 2
 	done
 
 	if [ -z "${VCSCMD}" -a -z "${NOGIT}" ]; then
 		echo "*** The devel/git port/package is required."
 		exit 1
 	fi
 	VCSCMD="/usr/local/bin/git clone -q"
 
 	# The default git checkout server, and branches for src/, doc/,
 	# and ports/.
 	GITROOT="https://git.FreeBSD.org/"
 	SRCBRANCH="main"
 	PORTBRANCH="main"
 	GITSRC="src.git"
 	GITPORTS="ports.git"
 
 	# Set for embedded device builds.
 	EMBEDDEDBUILD=
 
 	# The default make.conf and src.conf to use.  Set to /dev/null
 	# by default to avoid polluting the chroot(8) environment with
 	# non-default settings.
 	MAKE_CONF="/dev/null"
 	SRC_CONF="/dev/null"
 
 	# The number of make(1) jobs, defaults to the number of CPUs available
 	# for buildworld, and half of number of CPUs available for buildkernel
 	# and 'make release'.
 	WORLD_FLAGS="-j$(sysctl -n hw.ncpu)"
 	KERNEL_FLAGS="-j$(( $(( $(sysctl -n hw.ncpu) + 1 )) / 2))"
 	RELEASE_FLAGS="-j$(( $(( $(sysctl -n hw.ncpu) + 1 )) / 2))"
 
 	MAKE_FLAGS="-s"
 
 	# The name of the kernel to build, defaults to GENERIC.
 	KERNEL="GENERIC"
 
 	# Set to non-empty value to disable checkout of doc/ and/or ports/.
 	NOPORTS=
 
 	# Set to non-empty value to disable distributing source tree.
 	NOSRC=
 
 	# Set to non-empty value to build dvd1.iso as part of the release.
 	WITH_DVD=
 	WITH_COMPRESSED_IMAGES=
 
 	# Set to non-empty value to build virtual machine images as part of
 	# the release.
 	WITH_VMIMAGES=
 	WITH_COMPRESSED_VMIMAGES=
 	XZ_THREADS=0
 
 	# Set to non-empty value to build virtual machine images for various
 	# cloud providers as part of the release.
 	WITH_CLOUDWARE=
 
 	# Set to non-empty to build OCI images as part of the release
 	WITH_OCIIMAGES=
 
 	return 0
 } # env_setup()
 
 # env_check(): Perform sanity tests on the build environment, such as ensuring
 # files/directories exist, as well as adding backwards-compatibility hacks if
 # necessary.  This is called unconditionally, and overrides the defaults set
 # in env_setup() if '-c <release.conf>' is specified.
 env_check() {
 	chroot_build_release_cmd="chroot_build_release"
 
 	# Prefix the branches with the GITROOT for the full checkout URL.
 	SRC="${GITROOT}${GITSRC}"
 	PORT="${GITROOT}${GITPORTS}"
 
 	if [ -n "${EMBEDDEDBUILD}" ]; then
 		WITH_DVD=
 		WITH_COMPRESSED_IMAGES=
 		case ${EMBEDDED_TARGET}:${EMBEDDED_TARGET_ARCH} in
 			arm:arm*|arm64:aarch64|riscv:riscv64*)
 				chroot_build_release_cmd="chroot_arm_build_release"
 				;;
 			*)
 				;;
 		esac
 	fi
 
 	# If NOSRC and/or NOPORTS are unset, they must not pass to make
 	# as variables.  The release makefile verifies definedness of the
 	# NOPORTS variable instead of its value.
 	SRCPORTS=
 	if [ -n "${NOPORTS}" ]; then
 		SRCPORTS="NOPORTS=yes"
 	fi
 	if [ -n "${NOSRC}" ]; then
 		SRCPORTS="${SRCPORTS}${SRCPORTS:+ }NOSRC=yes"
 	fi
 
 	# The aggregated build-time flags based upon variables defined within
 	# this file, unless overridden by release.conf.  In most cases, these
 	# will not need to be changed.
 	CONF_FILES="__MAKE_CONF=${MAKE_CONF} SRCCONF=${SRC_CONF}"
 	NOCONF_FILES="__MAKE_CONF=/dev/null SRCCONF=/dev/null"
 	if [ -n "${TARGET}" ] && [ -n "${TARGET_ARCH}" ]; then
 		ARCH_FLAGS="TARGET=${TARGET} TARGET_ARCH=${TARGET_ARCH}"
 	else
 		ARCH_FLAGS=
 	fi
 
 	if [ -z "${CHROOTDIR}" ]; then
 		echo "Please set CHROOTDIR."
 		exit 1
 	fi
 
 	if [ $(id -u) -ne 0 ]; then
 		echo "Needs to be run as root."
 		exit 1
 	fi
 
 	# Unset CHROOTBUILD_SKIP if the chroot(8) does not appear to exist.
 	if [ ! -z "${CHROOTBUILD_SKIP}" -a ! -e ${CHROOTDIR}/bin/sh ]; then
 		CHROOTBUILD_SKIP=
 	fi
 
 	CHROOT_MAKEENV="${CHROOT_MAKEENV} \
 		MAKEOBJDIRPREFIX=${CHROOTDIR}/tmp/obj"
 	CHROOT_WMAKEFLAGS="${MAKE_FLAGS} ${WORLD_FLAGS} ${NOCONF_FILES}"
 	CHROOT_IMAKEFLAGS="${WORLD_FLAGS} ${NOCONF_FILES}"
 	CHROOT_DMAKEFLAGS="${WORLD_FLAGS} ${NOCONF_FILES}"
 	RELEASE_WMAKEFLAGS="${MAKE_FLAGS} ${WORLD_FLAGS} ${ARCH_FLAGS} \
 		${CONF_FILES}"
 	RELEASE_KMAKEFLAGS="${MAKE_FLAGS} ${KERNEL_FLAGS} \
 		KERNCONF=\"${KERNEL}\" ${ARCH_FLAGS} ${CONF_FILES}"
 	RELEASE_RMAKEFLAGS="${ARCH_FLAGS} ${RELEASE_FLAGS} \
 		KERNCONF=\"${KERNEL}\" ${CONF_FILES} ${SRCPORTS} \
 		WITH_DVD=${WITH_DVD} WITH_VMIMAGES=${WITH_VMIMAGES} \
 		WITH_CLOUDWARE=${WITH_CLOUDWARE} WITH_OCIIMAGES=${WITH_OCIIMAGES} \
 		XZ_THREADS=${XZ_THREADS}"
 
 	return 0
 } # env_check()
 
 # chroot_setup(): Prepare the build chroot environment for the release build.
 chroot_setup() {
 	load_chroot_env
 	mkdir -p ${CHROOTDIR}/usr
 
 	if [ -z "${SRC_UPDATE_SKIP}" ]; then
 		if [ -d "${CHROOTDIR}/usr/src/.git" ]; then
 			git -C ${CHROOTDIR}/usr/src pull -q
 		else
 			${VCSCMD} ${SRC} -b ${SRCBRANCH} ${CHROOTDIR}/usr/src
 		fi
 	fi
 	if [ -z "${NOPORTS}" ] && [ -z "${PORTS_UPDATE_SKIP}" ]; then
 		if [ -d "${CHROOTDIR}/usr/ports/.git" ]; then
 			git -C ${CHROOTDIR}/usr/ports pull -q
 		else
 			${VCSCMD} ${PORT} -b ${PORTBRANCH} ${CHROOTDIR}/usr/ports
 		fi
 	fi
 
 	if [ -z "${CHROOTBUILD_SKIP}" ]; then
 		cd ${CHROOTDIR}/usr/src
 		env ${CHROOT_MAKEENV} make ${CHROOT_WMAKEFLAGS} buildworld
 		env ${CHROOT_MAKEENV} make ${CHROOT_IMAKEFLAGS} installworld \
 			DESTDIR=${CHROOTDIR}
 		env ${CHROOT_MAKEENV} make ${CHROOT_DMAKEFLAGS} distribution \
 			DESTDIR=${CHROOTDIR}
 	fi
 
 	return 0
 } # chroot_setup()
 
 # extra_chroot_setup(): Prepare anything additional within the build
 # necessary for the release build.
 extra_chroot_setup() {
 	mkdir -p ${CHROOTDIR}/dev
 	mount -t devfs devfs ${CHROOTDIR}/dev
 	[ -e /etc/resolv.conf -a ! -e ${CHROOTDIR}/etc/resolv.conf ] && \
 		cp /etc/resolv.conf ${CHROOTDIR}/etc/resolv.conf
 	# Run ldconfig(8) in the chroot directory so /var/run/ld-elf*.so.hints
 	# is created.  This is needed by ports-mgmt/pkg.
 	eval chroot ${CHROOTDIR} /etc/rc.d/ldconfig forcerestart
 
 	# If MAKE_CONF and/or SRC_CONF are set and not character devices
 	# (/dev/null), copy them to the chroot.
 	if [ -e ${MAKE_CONF} ] && [ ! -c ${MAKE_CONF} ]; then
 		mkdir -p ${CHROOTDIR}/$(dirname ${MAKE_CONF})
 		cp ${MAKE_CONF} ${CHROOTDIR}/${MAKE_CONF}
 	fi
 	if [ -e ${SRC_CONF} ] && [ ! -c ${SRC_CONF} ]; then
 		mkdir -p ${CHROOTDIR}/$(dirname ${SRC_CONF})
 		cp ${SRC_CONF} ${CHROOTDIR}/${SRC_CONF}
 	fi
 
 	_gitcmd="$(which git)"
 	if [ -z "${NOGIT}" -a -z "${_gitcmd}" ]; then
 		# Install git from ports if the ports tree is available;
 		# otherwise install the pkg.
 		if [ -d ${CHROOTDIR}/usr/ports ]; then
 			# Trick the ports 'run-autotools-fixup' target to do the right
 			# thing.
 			_OSVERSION=$(chroot ${CHROOTDIR} /usr/bin/uname -U)
 			REVISION=$(chroot ${CHROOTDIR} make -C /usr/src/release -V REVISION)
 			BRANCH=$(chroot ${CHROOTDIR} make -C /usr/src/release -V BRANCH)
 			UNAME_r=${REVISION}-${BRANCH}
 			GITUNSETOPTS="CONTRIB CURL CVS GITWEB GUI HTMLDOCS"
 			GITUNSETOPTS="${GITUNSETOPTS} ICONV NLS P4 PERL"
 			GITUNSETOPTS="${GITUNSETOPTS} SEND_EMAIL SUBTREE SVN"
 			GITUNSETOPTS="${GITUNSETOPTS} PCRE PCRE2"
 			PBUILD_FLAGS="OSVERSION=${_OSVERSION} BATCH=yes"
 			PBUILD_FLAGS="${PBUILD_FLAGS} UNAME_r=${UNAME_r}"
 			PBUILD_FLAGS="${PBUILD_FLAGS} OSREL=${REVISION}"
 			PBUILD_FLAGS="${PBUILD_FLAGS} WRKDIRPREFIX=/tmp/ports"
 			PBUILD_FLAGS="${PBUILD_FLAGS} DISTDIR=/tmp/distfiles"
 			eval chroot ${CHROOTDIR} env OPTIONS_UNSET=\"${GITUNSETOPTS}\" \
 				${PBUILD_FLAGS} \
 				make -C /usr/ports/devel/git FORCE_PKG_REGISTER=1 \
 				WRKDIRPREFIX=/tmp/ports \
 				DISTDIR=/tmp/distfiles \
 				install clean distclean
 		else
 			eval chroot ${CHROOTDIR} env ASSUME_ALWAYS_YES=yes \
 				pkg install -y devel/git
 			eval chroot ${CHROOTDIR} env ASSUME_ALWAYS_YES=yes \
 				pkg clean -y
 		fi
 	fi
 
-	if [ ! -z "${WITH_OCIIMAGES}" ]; then
-		# Install buildah and skopeo from ports if the ports tree is available;
-		# otherwise install the pkg.
-		if [ -d ${CHROOTDIR}/usr/ports ]; then
-			# Trick the ports 'run-autotools-fixup' target to do the right
-			# thing.
-			_OSVERSION=$(chroot ${CHROOTDIR} /usr/bin/uname -U)
-			REVISION=$(chroot ${CHROOTDIR} make -C /usr/src/release -V REVISION)
-			BRANCH=$(chroot ${CHROOTDIR} make -C /usr/src/release -V BRANCH)
-			UNAME_r=${REVISION}-${BRANCH}
-			GITUNSETOPTS="CONTRIB CURL CVS GITWEB GUI HTMLDOCS"
-			GITUNSETOPTS="${GITUNSETOPTS} ICONV NLS P4 PERL"
-			GITUNSETOPTS="${GITUNSETOPTS} SEND_EMAIL SUBTREE SVN"
-			GITUNSETOPTS="${GITUNSETOPTS} PCRE PCRE2"
-			PBUILD_FLAGS="OSVERSION=${_OSVERSION} BATCH=yes"
-			PBUILD_FLAGS="${PBUILD_FLAGS} UNAME_r=${UNAME_r}"
-			PBUILD_FLAGS="${PBUILD_FLAGS} OSREL=${REVISION}"
-			PBUILD_FLAGS="${PBUILD_FLAGS} WRKDIRPREFIX=/tmp/ports"
-			PBUILD_FLAGS="${PBUILD_FLAGS} DISTDIR=/tmp/distfiles"
-			for _PORT in sysutils/buildah sysutils/skopeo; do
-				eval chroot ${CHROOTDIR} env ${PBUILD_FLAGS} make -C \
-				     /usr/ports/${_PORT} \
-				     FORCE_PKG_REGISTER=1 deinstall install clean distclean
-			done
-		else
-			eval chroot ${CHROOTDIR} env ASSUME_ALWAYS_YES=yes \
-				pkg install -y sysutils/buildah sysutils/skopeo
-			eval chroot ${CHROOTDIR} env ASSUME_ALWAYS_YES=yes \
-				pkg clean -y
-		fi
-		# Use the vfs storage driver so that this works whether or not
-		# the build directory is on ZFS. The images are small so the
-		# performance difference is negligible.
-		eval chroot ${CHROOTDIR} sed -I .bak -e '/^driver/s/zfs/vfs/' /usr/local/etc/containers/storage.conf
-		# Remove any stray images from previous builds
-		eval chroot ${CHROOTDIR} buildah rmi -af
-	fi
-
 	if [ ! -z "${EMBEDDEDPORTS}" ]; then
 		_OSVERSION=$(chroot ${CHROOTDIR} /usr/bin/uname -U)
 		REVISION=$(chroot ${CHROOTDIR} make -C /usr/src/release -V REVISION)
 		BRANCH=$(chroot ${CHROOTDIR} make -C /usr/src/release -V BRANCH)
 		UNAME_r=${REVISION}-${BRANCH}
 		PBUILD_FLAGS="OSVERSION=${_OSVERSION} BATCH=yes"
 		PBUILD_FLAGS="${PBUILD_FLAGS} UNAME_r=${UNAME_r}"
 		PBUILD_FLAGS="${PBUILD_FLAGS} OSREL=${REVISION}"
 		PBUILD_FLAGS="${PBUILD_FLAGS} WRKDIRPREFIX=/tmp/ports"
 		PBUILD_FLAGS="${PBUILD_FLAGS} DISTDIR=/tmp/distfiles"
 		for _PORT in ${EMBEDDEDPORTS}; do
 			eval chroot ${CHROOTDIR} env ${PBUILD_FLAGS} make -C \
 				/usr/ports/${_PORT} \
 				FORCE_PKG_REGISTER=1 deinstall install clean distclean
 		done
 	fi
 
 	buildenv_setup
 
 	return 0
 } # extra_chroot_setup()
 
 # chroot_build_target(): Build the userland and kernel for the build target.
 chroot_build_target() {
 	load_target_env
 	if [ ! -z "${EMBEDDEDBUILD}" ]; then
 		RELEASE_WMAKEFLAGS="${RELEASE_WMAKEFLAGS} \
 			TARGET=${EMBEDDED_TARGET} \
 			TARGET_ARCH=${EMBEDDED_TARGET_ARCH}"
 		RELEASE_KMAKEFLAGS="${RELEASE_KMAKEFLAGS} \
 			TARGET=${EMBEDDED_TARGET} \
 			TARGET_ARCH=${EMBEDDED_TARGET_ARCH}"
 	fi
 	eval chroot ${CHROOTDIR} make -C /usr/src ${RELEASE_WMAKEFLAGS} buildworld
 	eval chroot ${CHROOTDIR} make -C /usr/src ${RELEASE_KMAKEFLAGS} buildkernel
 	if [ ! -z "${WITH_OCIIMAGES}" ]; then
 		eval chroot ${CHROOTDIR} make -C /usr/src ${RELEASE_WMAKEFLAGS} packages
 	fi
 
 	return 0
 } # chroot_build_target
 
 # chroot_build_release(): Invoke the 'make release' target.
 chroot_build_release() {
 	load_target_env
 	if [ ! -z "${WITH_VMIMAGES}" ]; then
 		if [ -z "${VMFORMATS}" ]; then
 			VMFORMATS="$(eval chroot ${CHROOTDIR} \
 				make -C /usr/src/release -V VMFORMATS)"
 		fi
 		if [ -z "${VMSIZE}" ]; then
 			VMSIZE="$(eval chroot ${CHROOTDIR} \
 				make -C /usr/src/release ${ARCH_FLAGS} -V VMSIZE)"
 		fi
 		RELEASE_RMAKEFLAGS="${RELEASE_RMAKEFLAGS} \
 			VMFORMATS=\"${VMFORMATS}\" VMSIZE=${VMSIZE}"
 	fi
 	eval chroot ${CHROOTDIR} make -C /usr/src/release \
 		${RELEASE_RMAKEFLAGS} release
 	eval chroot ${CHROOTDIR} make -C /usr/src/release \
 		${RELEASE_RMAKEFLAGS} install DESTDIR=/R \
 		WITH_COMPRESSED_IMAGES=${WITH_COMPRESSED_IMAGES} \
 		WITH_COMPRESSED_VMIMAGES=${WITH_COMPRESSED_VMIMAGES}
 
 	return 0
 } # chroot_build_release()
 
 efi_boot_name()
 {
 	case $1 in
 		arm)
 			echo "bootarm.efi"
 			;;
 		arm64)
 			echo "bootaa64.efi"
 			;;
 		amd64)
 			echo "bootx64.efi"
 			;;
 		riscv)
 			echo "bootriscv64.efi"
 			;;
 	esac
 }
 
 # chroot_arm_build_release(): Create arm SD card image.
 chroot_arm_build_release() {
 	load_target_env
 	case ${EMBEDDED_TARGET} in
 		arm|arm64|riscv)
 			if [ -e "${RELENGDIR}/tools/arm.subr" ]; then
 				. "${RELENGDIR}/tools/arm.subr"
 			fi
 			;;
 		*)
 			;;
 	esac
 	[ ! -z "${RELEASECONF}" ] && . "${RELEASECONF}"
 	export MAKE_FLAGS="${MAKE_FLAGS} TARGET=${EMBEDDED_TARGET}"
 	export MAKE_FLAGS="${MAKE_FLAGS} TARGET_ARCH=${EMBEDDED_TARGET_ARCH}"
 	export MAKE_FLAGS="${MAKE_FLAGS} ${CONF_FILES}"
 	eval chroot ${CHROOTDIR} env WITH_UNIFIED_OBJDIR=1 make ${MAKE_FLAGS} -C /usr/src/release obj
 	export WORLDDIR="$(eval chroot ${CHROOTDIR} make ${MAKE_FLAGS} -C /usr/src/release -V WORLDDIR)"
 	export OBJDIR="$(eval chroot ${CHROOTDIR} env WITH_UNIFIED_OBJDIR=1 make ${MAKE_FLAGS} -C /usr/src/release -V .OBJDIR)"
 	export DESTDIR="${OBJDIR}/${KERNEL}"
 	export IMGBASE="${CHROOTDIR}/${OBJDIR}/${BOARDNAME}.img"
 	export OSRELEASE="$(eval chroot ${CHROOTDIR} make ${MAKE_FLAGS} -C /usr/src/release \
 		TARGET=${EMBEDDED_TARGET} TARGET_ARCH=${EMBEDDED_TARGET_ARCH} \
 		-V OSRELEASE)"
 	chroot ${CHROOTDIR} mkdir -p ${DESTDIR}
 	chroot ${CHROOTDIR} truncate -s ${IMAGE_SIZE} ${IMGBASE##${CHROOTDIR}}
 	export mddev=$(chroot ${CHROOTDIR} \
 		mdconfig -f ${IMGBASE##${CHROOTDIR}} ${MD_ARGS})
 	arm_create_disk
 	arm_install_base
 	arm_install_boot
 	arm_install_uboot
 	mdconfig -d -u ${mddev}
 	chroot ${CHROOTDIR} rmdir ${DESTDIR}
 	mv ${IMGBASE} ${CHROOTDIR}/${OBJDIR}/${OSRELEASE}-${BOARDNAME}.img
 	chroot ${CHROOTDIR} mkdir -p /R
 	chroot ${CHROOTDIR} cp -p ${OBJDIR}/${OSRELEASE}-${BOARDNAME}.img \
 		/R/${OSRELEASE}-${BOARDNAME}.img
 	chroot ${CHROOTDIR} xz -T ${XZ_THREADS} /R/${OSRELEASE}-${BOARDNAME}.img
 	cd ${CHROOTDIR}/R && sha512 ${OSRELEASE}* \
 		> CHECKSUM.SHA512
 	cd ${CHROOTDIR}/R && sha256 ${OSRELEASE}* \
 		> CHECKSUM.SHA256
 
 	return 0
 } # chroot_arm_build_release()
 
 # main(): Start here.
 main() {
 	set -e # Everything must succeed
 	env_setup
 	while getopts c: opt; do
 		case ${opt} in
 			c)
 				RELEASECONF="$(realpath ${OPTARG})"
 				;;
 			\?)
 				usage
 				;;
 		esac
 	done
 	shift $(($OPTIND - 1))
 	if [ ! -z "${RELEASECONF}" ]; then
 		if [ -e "${RELEASECONF}" ]; then
 			. ${RELEASECONF}
 		else
 			echo "Nonexistent configuration file: ${RELEASECONF}"
 			echo "Using default build environment."
 		fi
 	fi
 	env_check
 	trap "umount ${CHROOTDIR}/dev" EXIT # Clean up devfs mount on exit
 	chroot_setup
 	extra_chroot_setup
 	chroot_build_target
 	${chroot_build_release_cmd}
 
 	return 0
 } # main()
 
 main "${@}"
diff --git a/release/scripts/make-oci-image.sh b/release/scripts/make-oci-image.sh
index 6180ed9d53b4..0fd64602b403 100644
--- a/release/scripts/make-oci-image.sh
+++ b/release/scripts/make-oci-image.sh
@@ -1,63 +1,144 @@
 #! /bin/sh
 
 # Build an Open Container Initiative (OCI) container image
 
 curdir=$1; shift
 rev=$1; shift
 branch=$1; shift
 arch=$1; shift
 image=$1; shift
+output=$1; shift
 
 major=${rev%.*}
 minor=${rev#*.}
 
 abi=FreeBSD:${major}:${arch}
+ver=${rev}-${branch}-${arch}
 
 echo "Building OCI freebsd${major}-${image} image for ${abi}"
 
 . ${curdir}/tools/oci-image-${image}.conf
 
-init_workdir() {
+init_repo() {
+	local workdir=$1; shift
 	local abi=$1; shift
-	local workdir=$(mktemp -d -t oci-images)
 
-	mkdir ${workdir}/repos
+	mkdir -p ${workdir}/repos
 	cat > ${workdir}/repos/base.conf <<EOF
 FreeBSD-base: {
   url: "file:///usr/obj/usr/src/repo/${abi}/latest"
   signature_type: "none"
   fingerprints: "none"
 }
 EOF
 	cp /etc/pkg/FreeBSD.conf ${workdir}/repos
-	echo ${workdir}
 }
 
+# Install packages using pkg(8) into a container with rootfs at $3
 install_packages() {
 	local abi=$1; shift
 	local workdir=$1; shift
-	local rootdir=$1; shift
+	local rootdir=${workdir}/rootfs
 	if [ ! -d ${rootdir}/usr/share/keys/pkg/trusted ]; then
 		mkdir -p ${rootdir}/usr/share/keys/pkg/trusted
 	fi
 	cp /usr/share/keys/pkg/trusted/* ${rootdir}/usr/share/keys/pkg/trusted
 	# We install the packages and then remove repository metadata (keeping the
 	# metadata for what was installed). This trims more than 40Mb from the
 	# resulting image.
 	env IGNORE_OSVERSION=yes ABI=${abi} pkg --rootdir ${rootdir} --repo-conf-dir ${workdir}/repos \
 		install -yq "$@" || exit $?
 	rm -rf ${rootdir}/var/db/pkg/repos
 }
 
-workdir=$(init_workdir ${abi})
+set_cmd() {
+	local workdir=$1; shift
+	oci_cmd="$@"
+}
+
+# Convert FreeBSD architecture to OCI-style. See
+# https://github.com/containerd/platforms/blob/main/platforms.go for details
+normalize_arch() {
+	local arch=$1; shift
+	case ${arch} in
+		i386)
+		       arch=386
+		       ;;
+		aarch64)
+		       arch=arm64
+		       ;;
+		amd64) ;;
+		riscv64) ;;
+		*)
+			echo "Architecture ${arch} not supported for container images"
+			;;
+	esac
+	echo ${arch}
+}
+
+create_container() {
+	local workdir=$1; shift
+	local base_workdir=$1; shift
+	oci_cmd=
+	if [ -d ${workdir}/rootfs ]; then
+		chflags -R 0 ${workdir}/rootfs
+		rm -rf ${workdir}/rootfs
+	fi
+	mkdir -p ${workdir}/rootfs
+	if [ "${base_workdir}" != "" ]; then
+		tar -C ${workdir}/rootfs -xf ${base_workdir}/rootfs.tar.gz
+	fi
+}
+
+commit_container() {
+	local workdir=$1; shift
+	local image=$1; shift
+	local output=$1; shift
+
+	# Note: the diff_id (needed for image config) is the hash of the uncompressed tar
+	tar -C ${workdir}/rootfs --strip-components 1 -cf ${workdir}/rootfs.tar .
+	local diff_id=$(sha256 -q < ${workdir}/rootfs.tar)
+	gzip -f ${workdir}/rootfs.tar
+	local create_time=$(date -u +%Y-%m-%dT%TZ)
+	local root_hash=$(sha256 -q < ${workdir}/rootfs.tar.gz)
+	local root_size=$(stat -f %z ${workdir}/rootfs.tar.gz)
+
+	oci_arch=$(normalize_arch ${arch})
+
+	config=
+	if [ -n "${oci_cmd}" ]; then
+		config=",\"config\":{\"cmd\":[\"${oci_cmd}\"]}"
+	fi
+	echo "{\"created\":\"${create_time}\",\"architecture\":\"${oci_arch}\",\"os\":\"freebsd\"${config},\"rootfs\":{\"type\":\"layers\",\"diff_ids\":[\"sha256:${diff_id}\"]},\"history\":[{\"created\":\"${create_time}\",\"created_by\":\"make-oci-image.sh\"}]}" > ${workdir}/config.json
+	local config_hash=$(sha256 -q < ${workdir}/config.json)
+	local config_size=$(stat -f %z ${workdir}/config.json)
+
+	echo "{\"schemaVersion\":2,\"mediaType\":\"application/vnd.oci.image.manifest.v1+json\",\"config\":{\"mediaType\":\"application/vnd.oci.image.config.v1+json\",\"digest\":\"sha256:${config_hash}\",\"size\":${config_size}},\"layers\":[{\"mediaType\":\"application/vnd.oci.image.layer.v1.tar+gzip\",\"digest\":\"sha256:${root_hash}\",\"size\":${root_size}}],\"annotations\":{}}" > ${workdir}/manifest.json
+	local manifest_hash=$(sha256 -q < ${workdir}/manifest.json)
+	local manifest_size=$(stat -f %z ${workdir}/manifest.json)
+
+	mkdir -p ${workdir}/oci/blobs/sha256
+	echo "{\"imageLayoutVersion\": \"1.0.0\"}" > ${workdir}/oci/oci-layout
+	echo "{\"schemaVersion\":2,\"manifests\":[{\"mediaType\":\"application/vnd.oci.image.manifest.v1+json\",\"digest\":\"sha256:${manifest_hash}\",\"size\":${manifest_size},\"annotations\":{\"org.opencontainers.image.ref.name\":\"freebsd-${image}:${ver}\"}}]}" > ${workdir}/oci/index.json
+	ln ${workdir}/rootfs.tar.gz ${workdir}/oci/blobs/sha256/${root_hash}
+	ln ${workdir}/config.json ${workdir}/oci/blobs/sha256/${config_hash}
+	ln ${workdir}/manifest.json ${workdir}/oci/blobs/sha256/${manifest_hash}
+
+	tar -C ${workdir}/oci --xz --strip-components 1 --no-read-sparse -a -cf ${output} .
+}
+
+# Prefix with "container-image-" so that we can create a unique work area under
+# ${.OBJDIR}. We can assume that make has set our working directory to
+# ${.OBJDIR}.
+workdir=${PWD}/container-image-${image}
+init_repo ${workdir} ${abi}
+
 if [ -n "${OCI_BASE_IMAGE}" ]; then
-	base_image=freebsd${major}-${OCI_BASE_IMAGE}
+	base_workdir=${PWD}/container-image-${OCI_BASE_IMAGE}
 else
-	base_image=scratch
+	base_workdir=
 fi
 
-c=$(buildah from --arch ${arch} ${base_image})
-m=$(buildah mount $c)
+create_container ${workdir} ${base_workdir}
 oci_image_build
-buildah unmount $c
-buildah commit --rm $c freebsd${major}-${image}:latest
+commit_container ${workdir} ${image} ${output}
diff --git a/release/tools/oci-image-dynamic.conf b/release/tools/oci-image-dynamic.conf
index b146ff2cf7c3..61cb90187764 100644
--- a/release/tools/oci-image-dynamic.conf
+++ b/release/tools/oci-image-dynamic.conf
@@ -1,11 +1,11 @@
 #! /bin/sh
 
 # Build Open Container Initiative (OCI) container image suitable as a base for
 # dynamic-linked workloads. This adds libraries from the FreeBSD-clibs and
 # FreeBSD-openssl-lib packages.
 
 OCI_BASE_IMAGE=static
 
 oci_image_build() {
-	install_packages ${abi} ${workdir} $m FreeBSD-clibs FreeBSD-openssl-lib
+	install_packages ${abi} ${workdir} FreeBSD-clibs FreeBSD-openssl-lib
 }
diff --git a/release/tools/oci-image-minimal.conf b/release/tools/oci-image-minimal.conf
index 82e2ce6a1bd3..93aad1e39250 100644
--- a/release/tools/oci-image-minimal.conf
+++ b/release/tools/oci-image-minimal.conf
@@ -1,22 +1,23 @@
 #! /bin/sh
 
 # Build Open Container Initiative (OCI) container image suitable as a base for
 # shell-based workloads. This adds FreeBSD-runtime, FreeBSD-pkg-bootstrap and a
 # handful of others packages to create a small image which can be easily
 # extended by installing packages.
 
 OCI_BASE_IMAGE=dynamic
 
 oci_image_build() {
-	install_packages ${abi} ${workdir} $m \
+	set_cmd ${workdir} /bin/sh
+	install_packages ${abi} ${workdir} \
 			 FreeBSD-runtime \
 			 FreeBSD-certctl \
 			 FreeBSD-kerberos-lib \
 			 FreeBSD-libarchive \
 			 FreeBSD-libexecinfo \
 			 FreeBSD-libucl \
 			 FreeBSD-fetch \
 			 FreeBSD-rc \
 			 FreeBSD-pkg-bootstrap \
 			 FreeBSD-mtree
 }
diff --git a/release/tools/oci-image-static.conf b/release/tools/oci-image-static.conf
index 552328e66f3c..753a03af653b 100644
--- a/release/tools/oci-image-static.conf
+++ b/release/tools/oci-image-static.conf
@@ -1,45 +1,46 @@
 #! /bin/sh
 
 # Build Open Container Initiative (OCI) container image suitable as a base for
 # static-linked workloads. This contains mtree directories, SSL certificates and
 # a few other config files.
 
 OCI_BASE_IMAGE=
 
 oci_image_build() {
 	local srcdir=${curdir}/..
+	local m=${workdir}/rootfs
 	mtree -deU -p $m/ -f ${srcdir}/etc/mtree/BSD.root.dist > /dev/null
 	mtree -deU -p $m/var -f ${srcdir}/etc/mtree/BSD.var.dist > /dev/null
 	mtree -deU -p $m/usr -f ${srcdir}/etc/mtree/BSD.usr.dist > /dev/null
 	mtree -deU -p $m/usr/include -f ${srcdir}/etc/mtree/BSD.include.dist > /dev/null
 	mtree -deU -p $m/usr/lib -f ${srcdir}/etc/mtree/BSD.debug.dist > /dev/null
-	install_packages ${abi} ${workdir} $m FreeBSD-caroot FreeBSD-zoneinfo
+	install_packages ${abi} ${workdir} FreeBSD-caroot FreeBSD-zoneinfo
 	cp ${srcdir}/etc/master.passwd $m/etc
 	pwd_mkdb -p -d $m/etc $m/etc/master.passwd || return $?
 	cp ${srcdir}/etc/group $m/etc || return $?
 	# termcap.small is generated so we get it from OBJDIR - make sets our
 	# working directory to OBJDIR/release
 	cp ../etc/termcap/termcap.small $m/etc/termcap.small || return $?
 	cp ../etc/termcap/termcap.small $m/usr/share/misc/termcap || return $?
 	env DESTDIR=$m /usr/sbin/certctl rehash
 	# Generate a suitable repo config for pkgbase
 	case ${branch} in
 		CURRENT|STABLE|BETA*)
 			repo=base_latest
 			;;
 		*)
 			repo=base_release_${minor}
 			;;
 	esac
 	mkdir -p $m/usr/local/etc/pkg/repos
 	cat > $m/usr/local/etc/pkg/repos/base.conf <<EOF
 FreeBSD-base: {
   url: "https://pkg.FreeBSD.org/\${ABI}/${repo}",
   mirror_type: "srv",
   signature_type: "fingerprints",
   fingerprints: "/usr/share/keys/pkg",
   enabled: yes
 }
 EOF
 
 }