diff --git a/metropolis/cli/metroctl/BUILD.bazel b/metropolis/cli/metroctl/BUILD.bazel
index e1d724b..65b8e8a 100644
--- a/metropolis/cli/metroctl/BUILD.bazel
+++ b/metropolis/cli/metroctl/BUILD.bazel
@@ -51,6 +51,7 @@
         "//osbase/logtree/proto",
         "//osbase/net/sshtakeover",
         "//osbase/oci",
+        "//osbase/oci/registry",
         "//osbase/structfs",
         "//version",
         "@com_github_adrg_xdg//:xdg",
diff --git a/metropolis/cli/metroctl/cmd_node.go b/metropolis/cli/metroctl/cmd_node.go
index 620a7f5..4e16213 100644
--- a/metropolis/cli/metroctl/cmd_node.go
+++ b/metropolis/cli/metroctl/cmd_node.go
@@ -19,6 +19,8 @@
 
 	"source.monogon.dev/go/clitable"
 	"source.monogon.dev/metropolis/cli/metroctl/core"
+	"source.monogon.dev/osbase/oci"
+	"source.monogon.dev/osbase/oci/registry"
 	"source.monogon.dev/version"
 
 	apb "source.monogon.dev/metropolis/proto/api"
@@ -83,18 +85,64 @@
 	Args: PrintUsageOnWrongArgs(cobra.ArbitraryArgs),
 }
 
+// parseImageRef parses a reference to an OCI image stored in a registry.
+//
+// The format is [http[s]://]host[:port]/repository[:tag]@digest, where []
+// indicates optional components. This format is for convenience and is similar
+// to what other tools use.
+func parseImageRef(imageRef string) (*apb.OSImageRef, error) {
+	scheme := "https"
+	var ok bool
+	if imageRef, ok = strings.CutPrefix(imageRef, "https://"); ok {
+		scheme = "https"
+	} else if imageRef, ok = strings.CutPrefix(imageRef, "http://"); ok {
+		scheme = "http"
+	}
+	host, rest, ok := strings.Cut(imageRef, "/")
+	if !ok || host == "" {
+		return nil, fmt.Errorf("missing host")
+	}
+	rest, digest, ok := strings.Cut(rest, "@")
+	if !ok || digest == "" {
+		return nil, fmt.Errorf("missing digest")
+	}
+	repository, tag, _ := strings.Cut(rest, ":")
+
+	if !registry.RepositoryRegexp.MatchString(repository) {
+		return nil, fmt.Errorf("invalid repository %q", repository)
+	}
+	if tag != "" && !registry.TagRegexp.MatchString(tag) {
+		return nil, fmt.Errorf("invalid tag %q", tag)
+	}
+	if _, _, err := oci.ParseDigest(digest); err != nil {
+		return nil, err
+	}
+
+	return &apb.OSImageRef{
+		Scheme:     scheme,
+		Host:       host,
+		Repository: repository,
+		Tag:        tag,
+		Digest:     digest,
+	}, nil
+}
+
 var nodeUpdateCmd = &cobra.Command{
 	Short:   "Updates the operating system of a cluster node.",
 	Use:     "update [NodeIDs]",
-	Example: "metroctl node update --bundle-url https://example.com/bundle.zip --activation-mode reboot metropolis-25fa5f5e9349381d4a5e9e59de0215e3",
+	Example: "metroctl node update --image-ref registry.example/monogon-os/node:0.1-amd64@sha256:345db5d8fc468218c5232bf54a1358b6825c28d658fa12c9a1edcc7539690686 --activation-mode reboot metropolis-25fa5f5e9349381d4a5e9e59de0215e3",
 	RunE: func(cmd *cobra.Command, args []string) error {
-		bundleUrl, err := cmd.Flags().GetString("bundle-url")
+		imageRef, err := cmd.Flags().GetString("image-ref")
 		if err != nil {
 			return err
 		}
 
-		if len(bundleUrl) == 0 {
-			return fmt.Errorf("flag bundle-url is required")
+		if len(imageRef) == 0 {
+			return fmt.Errorf("flag image-ref is required")
+		}
+		osImage, err := parseImageRef(imageRef)
+		if err != nil {
+			return fmt.Errorf("invalid image-ref: %w", err)
 		}
 
 		activationMode, err := cmd.Flags().GetString("activation-mode")
@@ -158,7 +206,7 @@
 		}
 
 		updateReq := &apb.UpdateNodeRequest{
-			BundleUrl:      bundleUrl,
+			OsImage:        osImage,
 			ActivationMode: am,
 		}
 
@@ -431,7 +479,7 @@
 }
 
 func init() {
-	nodeUpdateCmd.Flags().String("bundle-url", "", "The URL to the new version")
+	nodeUpdateCmd.Flags().String("image-ref", "", "Reference to the new version stored in an OCI registry, in the format [http[s]://]host[:port]/repository[:tag]@digest")
 	nodeUpdateCmd.Flags().String("activation-mode", "reboot", "How the update should be activated (kexec, reboot, none)")
 	nodeUpdateCmd.Flags().Uint64("max-unavailable", 1, "Maximum nodes which can be unavailable during the update process")
 	nodeUpdateCmd.Flags().StringArray("exclude", nil, "List of nodes to exclude (useful with the \"all\" argument)")
diff --git a/metropolis/node/core/mgmt/update.go b/metropolis/node/core/mgmt/update.go
index de9b876..1e61ef1 100644
--- a/metropolis/node/core/mgmt/update.go
+++ b/metropolis/node/core/mgmt/update.go
@@ -23,7 +23,7 @@
 	if req.ActivationMode == apb.ActivationMode_ACTIVATION_MODE_INVALID {
 		return nil, status.Errorf(codes.InvalidArgument, "activation_mode needs to be explicitly specified")
 	}
-	if err := s.UpdateService.InstallBundle(ctx, req.BundleUrl, req.ActivationMode == apb.ActivationMode_ACTIVATION_MODE_KEXEC); err != nil {
+	if err := s.UpdateService.InstallImage(ctx, req.OsImage, req.ActivationMode == apb.ActivationMode_ACTIVATION_MODE_KEXEC); err != nil {
 		return nil, status.Errorf(codes.Unavailable, "error installing update: %v", err)
 	}
 	if req.ActivationMode != apb.ActivationMode_ACTIVATION_MODE_NONE {
diff --git a/metropolis/node/core/update/BUILD.bazel b/metropolis/node/core/update/BUILD.bazel
index 6b12a94..8dac43e 100644
--- a/metropolis/node/core/update/BUILD.bazel
+++ b/metropolis/node/core/update/BUILD.bazel
@@ -11,11 +11,16 @@
     deps = [
         "//go/logging",
         "//metropolis/node/core/abloader/spec",
+        "//metropolis/proto/api",
+        "//metropolis/version",
         "//osbase/blockdev",
         "//osbase/build/mkimage/osimage",
         "//osbase/efivarfs",
         "//osbase/gpt",
         "//osbase/kexec",
+        "//osbase/oci/osimage",
+        "//osbase/oci/registry",
+        "//version",
         "@com_github_cenkalti_backoff_v4//:backoff",
         "@org_golang_google_grpc//codes",
         "@org_golang_google_grpc//status",
diff --git a/metropolis/node/core/update/e2e/BUILD.bazel b/metropolis/node/core/update/e2e/BUILD.bazel
index 83716d1..5dcf3f7 100644
--- a/metropolis/node/core/update/e2e/BUILD.bazel
+++ b/metropolis/node/core/update/e2e/BUILD.bazel
@@ -12,12 +12,12 @@
         "//metropolis/node/core/update/e2e/testos:kernel_efi_x",
         "//metropolis/node/core/abloader",
         # For the two update tests
-        "//metropolis/node/core/update/e2e/testos:testos_bundle_y",
-        "//metropolis/node/core/update/e2e/testos:testos_bundle_z",
+        "//metropolis/node/core/update/e2e/testos:testos_image_y",
+        "//metropolis/node/core/update/e2e/testos:testos_image_z",
     ],
     x_defs = {
-        "xBundleYPath": "$(rlocationpath //metropolis/node/core/update/e2e/testos:testos_bundle_y )",
-        "xBundleZPath": "$(rlocationpath //metropolis/node/core/update/e2e/testos:testos_bundle_z )",
+        "xImageYPath": "$(rlocationpath //metropolis/node/core/update/e2e/testos:testos_image_y )",
+        "xImageZPath": "$(rlocationpath //metropolis/node/core/update/e2e/testos:testos_image_z )",
         "xOvmfVarsPath": "$(rlocationpath //third_party/edk2:OVMF_VARS.fd )",
         "xOvmfCodePath": "$(rlocationpath //third_party/edk2:OVMF_CODE.fd )",
         "xBootPath": "$(rlocationpath //metropolis/node/core/update/e2e/testos:kernel_efi_x )",
@@ -27,6 +27,8 @@
     deps = [
         "//osbase/blockdev",
         "//osbase/build/mkimage/osimage",
+        "//osbase/oci",
+        "//osbase/oci/registry",
         "//osbase/structfs",
         "@io_bazel_rules_go//go/runfiles",
     ],
diff --git a/metropolis/node/core/update/e2e/e2e_test.go b/metropolis/node/core/update/e2e/e2e_test.go
index 4a1c6a2..ec51281 100644
--- a/metropolis/node/core/update/e2e/e2e_test.go
+++ b/metropolis/node/core/update/e2e/e2e_test.go
@@ -15,7 +15,6 @@
 	"path/filepath"
 	"regexp"
 	"strings"
-	"sync"
 	"testing"
 	"time"
 
@@ -23,6 +22,8 @@
 
 	"source.monogon.dev/osbase/blockdev"
 	"source.monogon.dev/osbase/build/mkimage/osimage"
+	"source.monogon.dev/osbase/oci"
+	"source.monogon.dev/osbase/oci/registry"
 	"source.monogon.dev/osbase/structfs"
 )
 
@@ -30,8 +31,8 @@
 	// These are filled by bazel at linking time with the canonical path of
 	// their corresponding file. Inside the init function we resolve it
 	// with the rules_go runfiles package to the real path.
-	xBundleYPath  string
-	xBundleZPath  string
+	xImageYPath   string
+	xImageZPath   string
 	xOvmfVarsPath string
 	xOvmfCodePath string
 	xBootPath     string
@@ -42,7 +43,7 @@
 func init() {
 	var err error
 	for _, path := range []*string{
-		&xBundleYPath, &xBundleZPath, &xOvmfVarsPath,
+		&xImageYPath, &xImageZPath, &xOvmfVarsPath,
 		&xOvmfCodePath, &xBootPath, &xSystemXPath,
 		&xAbloaderPath,
 	} {
@@ -53,8 +54,6 @@
 	}
 }
 
-const Mi = 1024 * 1024
-
 var variantRegexp = regexp.MustCompile(`TESTOS_VARIANT=([A-Z])`)
 
 func stdoutHandler(t *testing.T, cmd *exec.Cmd, cancel context.CancelFunc, testosStarted chan string) {
@@ -68,11 +67,11 @@
 			if strings.HasPrefix(s.Text(), "[") {
 				continue
 			}
-			errIdx := strings.Index(s.Text(), "Error installing new bundle")
+			errIdx := strings.Index(s.Text(), "Error installing new image")
 			if errIdx != -1 {
 				cancel()
 			}
-			t.Log("vm: " + s.Text())
+			fmt.Printf("vm: %q\n", s.Text())
 			if m := variantRegexp.FindStringSubmatch(s.Text()); len(m) == 2 {
 				select {
 				case testosStarted <- m[1]:
@@ -94,7 +93,7 @@
 			if strings.HasPrefix(s.Text(), "[") {
 				continue
 			}
-			t.Log("qemu: " + s.Text())
+			fmt.Printf("qemu: %q\n", s.Text())
 		}
 	}()
 }
@@ -132,61 +131,34 @@
 	}
 }
 
-type bundleServing struct {
-	t              *testing.T
-	bundlePaths    map[string]string
-	bundleFilePath string
-	// Protects bundleFilePath above
-	m sync.Mutex
-}
-
-func (b *bundleServing) setNextBundle(variant string) {
-	b.m.Lock()
-	defer b.m.Unlock()
-	p, ok := b.bundlePaths[variant]
-	if !ok {
-		b.t.Fatalf("no bundle for variant %s available", variant)
-	}
-	b.bundleFilePath = p
-}
-
-// setup sets up an an HTTP server for serving bundles which can be controlled
-// through the returned bundleServing struct as well as the initial boot disk
-// and EFI variable storage. It also returns the required QEMU arguments to
-// boot the initial TestOS.
-func setup(t *testing.T) (*bundleServing, []string) {
+// setup sets up a registry server as well as the initial boot disk
+// and EFI variable storage. It also returns the required QEMU arguments.
+func setup(t *testing.T) []string {
 	t.Helper()
-	blobAddr := net.TCPAddr{
+	registryAddr := net.TCPAddr{
 		IP:   net.IPv4(10, 42, 0, 5),
 		Port: 80,
 	}
 
-	b := bundleServing{
-		t:           t,
-		bundlePaths: make(map[string]string),
-	}
-
-	m := http.NewServeMux()
-	b.bundlePaths["Y"] = xBundleYPath
-	b.bundlePaths["Z"] = xBundleZPath
-	m.HandleFunc("/bundle.bin", func(w http.ResponseWriter, req *http.Request) {
-		b.m.Lock()
-		bundleFilePath := b.bundleFilePath
-		b.m.Unlock()
-		if bundleFilePath == "" {
-			w.WriteHeader(http.StatusBadRequest)
-			w.Write([]byte("No next bundle set in the test harness"))
-			return
-		}
-		http.ServeFile(w, req, bundleFilePath)
-	})
-	blobLis, err := net.Listen("tcp", "127.0.0.1:0")
+	imageY, err := oci.ReadLayout(xImageYPath)
 	if err != nil {
 		t.Fatal(err)
 	}
-	t.Cleanup(func() { blobLis.Close() })
-	blobListenAddr := blobLis.Addr().(*net.TCPAddr)
-	go http.Serve(blobLis, m)
+	imageZ, err := oci.ReadLayout(xImageZPath)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	registryServer := registry.NewServer()
+	registryServer.AddImage("testos", "y", imageY)
+	registryServer.AddImage("testos", "z", imageZ)
+	registryLis, err := net.Listen("tcp", "127.0.0.1:0")
+	if err != nil {
+		t.Fatal(err)
+	}
+	t.Cleanup(func() { registryLis.Close() })
+	registryListenAddr := registryLis.Addr().(*net.TCPAddr)
+	go http.Serve(registryLis, registryServer)
 
 	rootDevPath := filepath.Join(t.TempDir(), "root.img")
 	// Make a 512 bytes * 2Mi = 1Gi file-backed block device
@@ -225,7 +197,7 @@
 		t.Fatalf("unable to generate starting point image: %v", err)
 	}
 
-	blobGuestFwd := fmt.Sprintf("guestfwd=tcp:%s-tcp:127.0.0.1:%d", blobAddr.String(), blobListenAddr.Port)
+	registryGuestFwd := fmt.Sprintf("guestfwd=tcp:%s-tcp:127.0.0.1:%d", registryAddr.String(), registryListenAddr.Port)
 
 	ovmfVars, err := os.CreateTemp("", "ab-ovmf-vars")
 	if err != nil {
@@ -248,33 +220,33 @@
 		"-drive", "if=pflash,format=raw,readonly=on,file=" + xOvmfCodePath,
 		"-drive", "if=pflash,format=raw,file=" + ovmfVars.Name(),
 		"-drive", "if=virtio,format=raw,cache=unsafe,file=" + rootDevPath,
-		"-netdev", fmt.Sprintf("user,id=net0,net=10.42.0.0/24,dhcpstart=10.42.0.10,%s", blobGuestFwd),
+		"-netdev", fmt.Sprintf("user,id=net0,net=10.42.0.0/24,dhcpstart=10.42.0.10,%s", registryGuestFwd),
 		"-device", "virtio-net-pci,netdev=net0,mac=22:d5:8e:76:1d:07",
 		"-device", "virtio-rng-pci",
 		"-serial", "stdio",
 		"-no-reboot",
+		"-fw_cfg", "name=opt/testos_y_digest,string=" + imageY.ManifestDigest,
+		"-fw_cfg", "name=opt/testos_z_digest,string=" + imageZ.ManifestDigest,
 	}
-	return &b, qemuArgs
+	return qemuArgs
 }
 
 func TestABUpdateSequenceReboot(t *testing.T) {
-	bsrv, qemuArgs := setup(t)
+	qemuArgs := setup(t)
 
-	t.Log("Launching X image to install Y")
-	bsrv.setNextBundle("Y")
+	fmt.Println("Launching X image to install Y")
 	runAndCheckVariant(t, "X", qemuArgs)
 
-	t.Log("Launching Y on slot B to install Z on slot A")
-	bsrv.setNextBundle("Z")
+	fmt.Println("Launching Y on slot B to install Z on slot A")
 	runAndCheckVariant(t, "Y", qemuArgs)
 
-	t.Log("Launching Z on slot A")
+	fmt.Println("Launching Z on slot A")
 	runAndCheckVariant(t, "Z", qemuArgs)
 }
 
 func TestABUpdateSequenceKexec(t *testing.T) {
-	bsrv, qemuArgs := setup(t)
-	qemuArgs = append(qemuArgs, "-fw_cfg", "name=use_kexec,string=1")
+	qemuArgs := setup(t)
+	qemuArgs = append(qemuArgs, "-fw_cfg", "name=opt/use_kexec,string=1")
 
 	ctx, cancel := context.WithTimeout(context.Background(), 30*time.Second)
 	defer cancel()
@@ -314,8 +286,7 @@
 					return
 				}
 			}
-			bsrv.setNextBundle(expectedVariant)
-			t.Logf("Got %s, installing %s", variant, expectedVariant)
+			fmt.Printf("Got %s, installing %s\n", variant, expectedVariant)
 		case err := <-procExit:
 			t.Fatalf("QEMU exited unexpectedly: %v", err)
 		case <-ctx.Done():
diff --git a/metropolis/node/core/update/e2e/testos/BUILD.bazel b/metropolis/node/core/update/e2e/testos/BUILD.bazel
index c0f6aed..5301b57 100644
--- a/metropolis/node/core/update/e2e/testos/BUILD.bazel
+++ b/metropolis/node/core/update/e2e/testos/BUILD.bazel
@@ -15,6 +15,7 @@
     deps = [
         "//metropolis/node/core/network",
         "//metropolis/node/core/update",
+        "//metropolis/proto/api",
         "//osbase/blockdev",
         "//osbase/bringup",
         "//osbase/build/mkimage/osimage",
diff --git a/metropolis/node/core/update/e2e/testos/main.go b/metropolis/node/core/update/e2e/testos/main.go
index 39c019d..2cafebc 100644
--- a/metropolis/node/core/update/e2e/testos/main.go
+++ b/metropolis/node/core/update/e2e/testos/main.go
@@ -18,6 +18,8 @@
 	"source.monogon.dev/osbase/build/mkimage/osimage"
 	"source.monogon.dev/osbase/gpt"
 	"source.monogon.dev/osbase/supervisor"
+
+	apb "source.monogon.dev/metropolis/proto/api"
 )
 
 var Variant = "U"
@@ -68,16 +70,35 @@
 	if err := updateSvc.MarkBootSuccessful(); err != nil {
 		supervisor.Logger(ctx).Errorf("error marking boot successful: %w", err)
 	}
-	_, err = os.Stat("/sys/firmware/qemu_fw_cfg/by_name/use_kexec/raw")
+
+	_, err = os.Stat("/sys/firmware/qemu_fw_cfg/by_name/opt/use_kexec/raw")
 	useKexec := err == nil
 	supervisor.Logger(ctx).Infof("Kexec: %v", useKexec)
-	if Variant != "Z" {
-		if err := updateSvc.InstallBundle(ctx, "http://10.42.0.5:80/bundle.bin", useKexec); err != nil {
-			supervisor.Logger(ctx).Errorf("Error installing new bundle: %v", err)
+
+	nextVariantMap := map[string]string{
+		"X": "y",
+		"Y": "z",
+	}
+	nextVariant := nextVariantMap[Variant]
+
+	if nextVariant != "" {
+		nextDigest, err := os.ReadFile(fmt.Sprintf("/sys/firmware/qemu_fw_cfg/by_name/opt/testos_%s_digest/raw", nextVariant))
+		if err != nil {
+			return fmt.Errorf("unable to read next digest: %w", err)
+		}
+		imageRef := &apb.OSImageRef{
+			Scheme:     "http",
+			Host:       "10.42.0.5:80",
+			Repository: "testos",
+			Tag:        nextVariant,
+			Digest:     string(nextDigest),
+		}
+		if err := updateSvc.InstallImage(ctx, imageRef, useKexec); err != nil {
+			supervisor.Logger(ctx).Errorf("Error installing new image: %v", err)
 		}
 	}
 	supervisor.Signal(ctx, supervisor.SignalHealthy)
-	supervisor.Logger(ctx).Info("Installed bundle successfully, powering off")
+	supervisor.Logger(ctx).Info("Installed image successfully, powering off")
 	unix.Sync()
 	time.Sleep(1 * time.Second)
 	if useKexec && Variant != "Z" {
diff --git a/metropolis/node/core/update/e2e/testos/testos.bzl b/metropolis/node/core/update/e2e/testos/testos.bzl
index a38b68d..8822e50 100644
--- a/metropolis/node/core/update/e2e/testos/testos.bzl
+++ b/metropolis/node/core/update/e2e/testos/testos.bzl
@@ -1,7 +1,6 @@
 load("@io_bazel_rules_go//go:def.bzl", "go_binary")
-load("@rules_pkg//:mappings.bzl", "pkg_files")
-load("@rules_pkg//:pkg.bzl", "pkg_zip")
 load("//osbase/build/mkerofs:def.bzl", "erofs_image")
+load("//osbase/build/mkoci:def.bzl", "oci_os_image")
 load("//osbase/build/mkpayload:def.bzl", "efi_unified_kernel_image")
 load("//osbase/build/mkverity:def.bzl", "verity_image")
 
@@ -34,25 +33,12 @@
         visibility = ["//metropolis/node/core/update/e2e:__pkg__"],
     )
 
-    # An intermediary "bundle" format until we finalize the actual bundle format. This is NOT stable until migrated
-    # to the actual bundle format.
-    # TODO(lorenz): Replace this
-    pkg_files(
-        name = "testos_bundle_files_" + variant,
-        srcs = [
-            ":kernel_efi_" + variant,
-            ":verity_rootfs_" + variant,
-        ],
-        renames = {
-            ":kernel_efi_" + variant: "kernel_efi.efi",
-            ":verity_rootfs_" + variant: "verity_rootfs.img",
+    oci_os_image(
+        name = "testos_image_" + variant,
+        srcs = {
+            "system": ":verity_rootfs_" + variant,
+            "kernel.efi": ":kernel_efi_" + variant,
         },
-    )
-    pkg_zip(
-        name = "testos_bundle_" + variant,
-        srcs = [
-            ":testos_bundle_files_" + variant,
-        ],
         visibility = ["//metropolis/node/core/update/e2e:__pkg__"],
     )
 
diff --git a/metropolis/node/core/update/update.go b/metropolis/node/core/update/update.go
index 0dbc485..48f778d 100644
--- a/metropolis/node/core/update/update.go
+++ b/metropolis/node/core/update/update.go
@@ -4,7 +4,6 @@
 package update
 
 import (
-	"archive/zip"
 	"bytes"
 	"context"
 	"crypto/sha256"
@@ -13,12 +12,12 @@
 	"errors"
 	"fmt"
 	"io"
-	"net/http"
 	"os"
 	"path/filepath"
 	"regexp"
 	"strconv"
 	"strings"
+	"time"
 
 	"github.com/cenkalti/backoff/v4"
 	"golang.org/x/sys/unix"
@@ -27,12 +26,18 @@
 	"google.golang.org/protobuf/proto"
 
 	"source.monogon.dev/go/logging"
-	abloaderpb "source.monogon.dev/metropolis/node/core/abloader/spec"
+	mversion "source.monogon.dev/metropolis/version"
 	"source.monogon.dev/osbase/blockdev"
 	"source.monogon.dev/osbase/build/mkimage/osimage"
 	"source.monogon.dev/osbase/efivarfs"
 	"source.monogon.dev/osbase/gpt"
 	"source.monogon.dev/osbase/kexec"
+	ociosimage "source.monogon.dev/osbase/oci/osimage"
+	"source.monogon.dev/osbase/oci/registry"
+	"source.monogon.dev/version"
+
+	abloaderpb "source.monogon.dev/metropolis/node/core/abloader/spec"
+	apb "source.monogon.dev/metropolis/proto/api"
 )
 
 // Service contains data and functionality to perform A/B updates on a
@@ -255,41 +260,55 @@
 	return nil
 }
 
-// InstallBundle installs the bundle at the given HTTP(S) URL into the currently
-// inactive slot and sets that slot to boot next. If it doesn't return an error,
-// a reboot boots into the new slot.
-func (s *Service) InstallBundle(ctx context.Context, bundleURL string, withKexec bool) error {
+// InstallImage fetches the given image, installs it into the currently inactive
+// slot and sets that slot to boot next. If it doesn't return an error, a reboot
+// boots into the new slot.
+func (s *Service) InstallImage(ctx context.Context, imageRef *apb.OSImageRef, withKexec bool) error {
+	if imageRef == nil {
+		return fmt.Errorf("missing OS image in OS installation request")
+	}
+	if imageRef.Digest == "" {
+		return fmt.Errorf("missing digest in OS installation request")
+	}
 	if s.ESPPath == "" {
 		return errors.New("no ESP information provided to update service, cannot continue")
 	}
-	// Download into a buffer as ZIP files cannot efficiently be read from
-	// HTTP in Go as the ReaderAt has no way of indicating continuous sections,
-	// thus a ton of small range requests would need to be used, causing
-	// a huge latency penalty as well as costing a lot of money on typical
-	// object storages. This should go away when we switch to a better bundle
-	// format which can be streamed.
-	var bundleRaw bytes.Buffer
-	b := backoff.NewExponentialBackOff()
-	err := backoff.Retry(func() error {
-		return s.tryDownloadBundle(ctx, bundleURL, &bundleRaw)
-	}, backoff.WithContext(b, ctx))
-	if err != nil {
-		return fmt.Errorf("error downloading Metropolis bundle: %w", err)
+
+	downloadCtx, cancel := context.WithTimeout(ctx, 15*time.Minute)
+	defer cancel()
+
+	client := &registry.Client{
+		GetBackOff: func() backoff.BackOff {
+			return backoff.NewExponentialBackOff()
+		},
+		RetryNotify: func(err error, d time.Duration) {
+			s.Logger.Warningf("Error while fetching OS image, retrying in %v: %v", d, err)
+		},
+		UserAgent:  "MonogonOS/" + strings.TrimPrefix(version.Semver(mversion.Version), "v"),
+		Scheme:     imageRef.Scheme,
+		Host:       imageRef.Host,
+		Repository: imageRef.Repository,
 	}
-	bundle, err := zip.NewReader(bytes.NewReader(bundleRaw.Bytes()), int64(bundleRaw.Len()))
+
+	image, err := client.Read(downloadCtx, imageRef.Tag, imageRef.Digest)
 	if err != nil {
-		return fmt.Errorf("failed to open node bundle: %w", err)
+		return fmt.Errorf("failed to fetch OS image: %w", err)
 	}
-	efiPayload, err := bundle.Open("kernel_efi.efi")
+
+	osImage, err := ociosimage.Read(image)
 	if err != nil {
-		return fmt.Errorf("invalid bundle: %w", err)
+		return fmt.Errorf("failed to fetch OS image: %w", err)
 	}
-	defer efiPayload.Close()
-	systemImage, err := bundle.Open("verity_rootfs.img")
+
+	efiPayload, err := osImage.Payload("kernel.efi")
 	if err != nil {
-		return fmt.Errorf("invalid bundle: %w", err)
+		return fmt.Errorf("cannot open EFI payload in OS image: %w", err)
 	}
-	defer systemImage.Close()
+	systemImage, err := osImage.Payload("system")
+	if err != nil {
+		return fmt.Errorf("cannot open system image in OS image: %w", err)
+	}
+
 	activeSlot := s.CurrentlyRunningSlot()
 	if activeSlot == SlotInvalid {
 		return errors.New("unable to determine active slot, cannot continue")
@@ -300,8 +319,18 @@
 	if err != nil {
 		return status.Errorf(codes.Internal, "Inactive system slot unavailable: %v", err)
 	}
-	defer systemPart.Close()
-	if _, err := io.Copy(blockdev.NewRWS(systemPart), systemImage); err != nil {
+	systemImageContent, err := systemImage.Open()
+	if err != nil {
+		systemPart.Close()
+		return fmt.Errorf("failed to open system image: %w", err)
+	}
+	_, err = io.Copy(blockdev.NewRWS(systemPart), systemImageContent)
+	systemImageContent.Close()
+	closeErr := systemPart.Close()
+	if err == nil {
+		err = closeErr
+	}
+	if err != nil {
 		return status.Errorf(codes.Unavailable, "Failed to copy system image: %v", err)
 	}
 
@@ -310,7 +339,13 @@
 		return fmt.Errorf("failed to open boot file: %w", err)
 	}
 	defer bootFile.Close()
-	if _, err := io.Copy(bootFile, efiPayload); err != nil {
+	efiPayloadContent, err := efiPayload.Open()
+	if err != nil {
+		return fmt.Errorf("failed to open EFI payload: %w", err)
+	}
+	_, err = io.Copy(bootFile, efiPayloadContent)
+	efiPayloadContent.Close()
+	if err != nil {
 		return fmt.Errorf("failed to write boot file: %w", err)
 	}
 
@@ -331,38 +366,6 @@
 	return nil
 }
 
-func (*Service) tryDownloadBundle(ctx context.Context, bundleURL string, bundleRaw *bytes.Buffer) error {
-	bundleReq, err := http.NewRequestWithContext(ctx, "GET", bundleURL, nil)
-	if err != nil {
-		return fmt.Errorf("failed to create request: %w", err)
-	}
-	bundleRes, err := http.DefaultClient.Do(bundleReq)
-	if err != nil {
-		return fmt.Errorf("HTTP request failed: %w", err)
-	}
-	defer bundleRes.Body.Close()
-	switch bundleRes.StatusCode {
-	case http.StatusTooEarly, http.StatusTooManyRequests,
-		http.StatusInternalServerError, http.StatusBadGateway,
-		http.StatusServiceUnavailable, http.StatusGatewayTimeout:
-		return fmt.Errorf("HTTP error %d", bundleRes.StatusCode)
-	default:
-		// Non-standard code range used for proxy-related issue by various
-		// vendors. Treat as non-permanent error.
-		if bundleRes.StatusCode >= 520 && bundleRes.StatusCode < 599 {
-			return fmt.Errorf("HTTP error %d", bundleRes.StatusCode)
-		}
-		if bundleRes.StatusCode != 200 {
-			return backoff.Permanent(fmt.Errorf("HTTP error %d", bundleRes.StatusCode))
-		}
-	}
-	if _, err := bundleRaw.ReadFrom(bundleRes.Body); err != nil {
-		bundleRaw.Reset()
-		return err
-	}
-	return nil
-}
-
 // newMemfile creates a new file which is not located on a specific filesystem,
 // but is instead backed by anonymous memory.
 func newMemfile(name string, flags int) (*os.File, error) {
diff --git a/metropolis/proto/api/management.proto b/metropolis/proto/api/management.proto
index 81d4ca0..4146c51 100644
--- a/metropolis/proto/api/management.proto
+++ b/metropolis/proto/api/management.proto
@@ -401,7 +401,7 @@
   // UpdateNode updates the node operating system to a new version.
   //
   // Metropolis uses a side-by-side (A/B) update process. This method installs
-  // the OS from the given bundle into the inactive slot, activates that slot
+  // the OS from the given image into the inactive slot, activates that slot
   // and then (optionally) reboots to activate it.
   rpc UpdateNode(UpdateNodeRequest) returns (UpdateNodeResponse) {
     option (metropolis.proto.ext.authorization) = {
@@ -459,28 +459,6 @@
   repeated osbase.logtree.proto.LogEntry stream_entries = 2;
 }
 
-enum ActivationMode {
-  ACTIVATION_MODE_INVALID = 0;
-  // The new bundle is not activated immediately. It gets activated on the next
-  // reboot/reset.
-  ACTIVATION_MODE_NONE = 1;
-  // The node is rebooted immediately to activate the new image.
-  ACTIVATION_MODE_REBOOT = 2;
-  // The node uses kexec to activate the new image immediately without fully
-  // rebooting.
-  ACTIVATION_MODE_KEXEC = 3;
-}
-
-message UpdateNodeRequest {
-  // An HTTPS URL to a Metropolis bundle containing the new OS to install.
-  string bundle_url = 1;
-
-  reserved 2;
-
-  // Specifies how the updated image should be activated.
-  ActivationMode activation_mode = 3;
-}
-
 // OSImageRef contains the parameters for fetching an OS image from an OCI
 // registry.
 message OSImageRef {
@@ -496,6 +474,28 @@
   string digest = 5;
 }
 
+enum ActivationMode {
+  ACTIVATION_MODE_INVALID = 0;
+  // The new image is not activated immediately. It gets activated on the next
+  // reboot/reset.
+  ACTIVATION_MODE_NONE = 1;
+  // The node is rebooted immediately to activate the new image.
+  ACTIVATION_MODE_REBOOT = 2;
+  // The node uses kexec to activate the new image immediately without fully
+  // rebooting.
+  ACTIVATION_MODE_KEXEC = 3;
+}
+
+message UpdateNodeRequest {
+  reserved 1, 2;
+
+  // Parameters for fetching the new OS image to install.
+  metropolis.proto.api.OSImageRef os_image = 4;
+
+  // Specifies how the updated image should be activated.
+  ActivationMode activation_mode = 3;
+}
+
 message UpdateNodeResponse {}
 
 message UpdateNodeLabelsRequest {
diff --git a/osbase/oci/registry/client.go b/osbase/oci/registry/client.go
index c414108..4e60b7b 100644
--- a/osbase/oci/registry/client.go
+++ b/osbase/oci/registry/client.go
@@ -38,9 +38,9 @@
 )
 
 var (
-	repositoryRegexp = regexp.MustCompile(`^` + repositoryExpr + `$`)
-	tagRegexp        = regexp.MustCompile(`^` + tagExpr + `$`)
-	digestRegexp     = regexp.MustCompile(`^` + digestExpr + `$`)
+	RepositoryRegexp = regexp.MustCompile(`^` + repositoryExpr + `$`)
+	TagRegexp        = regexp.MustCompile(`^` + tagExpr + `$`)
+	DigestRegexp     = regexp.MustCompile(`^` + digestExpr + `$`)
 )
 
 // Client is an OCI registry client.
@@ -81,10 +81,10 @@
 // advantage of fetching by tag is that it allows a pull through cache to
 // display tags to a user inspecting the cache contents.
 func (c *Client) Read(ctx context.Context, tag, digest string) (*oci.Image, error) {
-	if !repositoryRegexp.MatchString(c.Repository) {
+	if !RepositoryRegexp.MatchString(c.Repository) {
 		return nil, fmt.Errorf("invalid repository %q", c.Repository)
 	}
-	if tag != "" && !tagRegexp.MatchString(tag) {
+	if tag != "" && !TagRegexp.MatchString(tag) {
 		return nil, fmt.Errorf("invalid tag %q", tag)
 	}
 	if digest != "" {
@@ -137,7 +137,7 @@
 }
 
 func (r *clientBlobs) Blob(descriptor *ocispecv1.Descriptor) (io.ReadCloser, error) {
-	if !digestRegexp.MatchString(string(descriptor.Digest)) {
+	if !DigestRegexp.MatchString(string(descriptor.Digest)) {
 		return nil, fmt.Errorf("invalid blob digest %q", descriptor.Digest)
 	}
 	blobPath := fmt.Sprintf("/v2/%s/blobs/%s", r.client.Repository, descriptor.Digest)
diff --git a/osbase/oci/registry/server.go b/osbase/oci/registry/server.go
index 13a9dc2..9c99c40 100644
--- a/osbase/oci/registry/server.go
+++ b/osbase/oci/registry/server.go
@@ -53,10 +53,10 @@
 //
 // If the tag is empty, the image can only be fetched by digest.
 func (s *Server) AddImage(repository string, tag string, image *oci.Image) error {
-	if !repositoryRegexp.MatchString(repository) {
+	if !RepositoryRegexp.MatchString(repository) {
 		return fmt.Errorf("invalid repository %q", repository)
 	}
-	if tag != "" && !tagRegexp.MatchString(tag) {
+	if tag != "" && !TagRegexp.MatchString(tag) {
 		return fmt.Errorf("invalid tag %q", tag)
 	}