{"id":869,"date":"2026-04-16T11:59:29","date_gmt":"2026-04-16T11:59:29","guid":{"rendered":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-container-registry-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-compute\/"},"modified":"2026-04-16T11:59:29","modified_gmt":"2026-04-16T11:59:29","slug":"oracle-cloud-container-registry-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-compute","status":"publish","type":"post","link":"https:\/\/www.devopsschool.com\/tutorials\/oracle-cloud-container-registry-tutorial-architecture-pricing-use-cases-and-hands-on-guide-for-compute\/","title":{"rendered":"Oracle Cloud Container Registry Tutorial: Architecture, Pricing, Use Cases, and Hands-On Guide for Compute"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\">Category<\/h2>\n\n\n\n<p>Compute<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">1. Introduction<\/h2>\n\n\n\n<p>Oracle Cloud <strong>Container Registry<\/strong> (often referred to in Oracle documentation as OCIR) is Oracle Cloud Infrastructure\u2019s managed registry for storing and distributing <strong>container images<\/strong> (for example, Docker\/OCI images) inside your Oracle Cloud tenancy.<\/p>\n\n\n\n<p>In simple terms: <strong>you build a container image, push it to Container Registry, and your compute platforms pull it when they deploy<\/strong>\u2014whether that compute is Kubernetes (Oracle Container Engine for Kubernetes), virtual machines, CI\/CD runners, or other container runtimes.<\/p>\n\n\n\n<p>Technically, Container Registry provides a <strong>secure, IAM-controlled, regional endpoint<\/strong> for private (and optionally public) repositories. It integrates with core Oracle Cloud building blocks such as <strong>IAM (users, groups, policies), compartments, Audit, Logging, Vulnerability Scanning<\/strong>, and compute runtimes like <strong>OKE<\/strong> and <strong>Compute instances<\/strong>.<\/p>\n\n\n\n<p>It solves a common problem in modern software delivery: <strong>how to reliably and securely store versioned container images<\/strong> so that development, CI systems, and production clusters all pull the same artifacts\u2014with access control, auditing, and lifecycle hygiene.<\/p>\n\n\n\n<blockquote>\n<p>Naming note (verify in official docs): Oracle commonly uses \u201cContainer Registry\u201d as the service name and \u201cOCIR\u201d as an acronym in documentation and examples. This tutorial uses <strong>Container Registry<\/strong> as the primary name throughout, as required.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">2. What is Container Registry?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Official purpose<\/h3>\n\n\n\n<p>Oracle Cloud <strong>Container Registry<\/strong> is a managed service for <strong>storing, managing, and distributing container images<\/strong> in Oracle Cloud Infrastructure (OCI). Images are stored in <strong>repositories<\/strong>, organized using <strong>compartments<\/strong>, and accessed via <strong>regional registry endpoints<\/strong>.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Core capabilities<\/h3>\n\n\n\n<p>Container Registry typically supports the following capabilities (confirm exact feature availability in your region\/tenancy in official docs):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Private repositories<\/strong> (most common for internal applications)<\/li>\n<li><strong>Public repositories<\/strong> (useful for open-source distribution or demos, subject to your organization\u2019s policies)<\/li>\n<li><strong>Versioned images<\/strong> using tags and immutable digests<\/li>\n<li><strong>IAM-based access control<\/strong> using OCI policies and compartments<\/li>\n<li><strong>Regional endpoints<\/strong> for push\/pull operations<\/li>\n<li>Integration patterns for:<\/li>\n<li><strong>Oracle Container Engine for Kubernetes (OKE)<\/strong><\/li>\n<li><strong>Compute instances<\/strong><\/li>\n<li><strong>CI\/CD pipelines<\/strong> (including OCI DevOps and third-party tools)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Major components<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Registry endpoint<\/strong>: The regional hostname you authenticate to and push\/pull from (for example, <code>&lt;region-key&gt;.ocir.io<\/code> in many OCI examples\u2014verify the exact endpoint format for your region in official docs).<\/li>\n<li><strong>Namespace<\/strong>: A tenancy-level identifier used in image paths. In OCI, this often aligns with the <strong>Object Storage namespace<\/strong> for the tenancy (verify in official docs).<\/li>\n<li><strong>Repository<\/strong>: Logical container for images. Typically created in a specific <strong>compartment<\/strong> and configured for public\/private access.<\/li>\n<li><strong>Image artifacts<\/strong>: Image manifests and layers, addressed by tag (<code>:v1.2.3<\/code>) or digest (<code>@sha256:...<\/code>).<\/li>\n<li><strong>IAM policies<\/strong>: Control who can create repositories, push images, pull images, and manage settings.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Service type<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Managed container image registry<\/strong> (artifact storage and distribution for OCI container images).<\/li>\n<li>Not a compute runtime by itself; it supports the <strong>Compute<\/strong> ecosystem by supplying deployable images.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scope: regional vs global<\/h3>\n\n\n\n<p>Container Registry is commonly treated as a <strong>regional service<\/strong> in practice:\n&#8211; You push to and pull from a <strong>regional endpoint<\/strong>.\n&#8211; Production architectures often consider <strong>multi-region image distribution<\/strong> (replication strategies vary\u2014verify current built-in replication features, if any, in official docs).<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How it fits into the Oracle Cloud ecosystem<\/h3>\n\n\n\n<p>Container Registry sits in the \u201cbuild and release\u201d layer of OCI:\n&#8211; Developers and CI pipelines <strong>push<\/strong> images after building.\n&#8211; Compute platforms (OKE, VMs, serverless container runtimes if used) <strong>pull<\/strong> images to run workloads.\n&#8211; Security services (like <strong>Vulnerability Scanning<\/strong>) can scan stored images.\n&#8211; Governance services (IAM, compartments, tags, Audit) control and record access.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">3. Why use Container Registry?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Business reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Faster releases<\/strong>: A central image registry enables repeatable deployments across environments.<\/li>\n<li><strong>Standardization<\/strong>: Teams use a consistent image source instead of ad-hoc file transfers or unmanaged registries.<\/li>\n<li><strong>Reduced operational burden<\/strong>: No need to self-manage registry scaling, patching, and availability.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Technical reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>OCI-native authentication and authorization<\/strong> using IAM policies and compartments.<\/li>\n<li><strong>Immutable image references<\/strong> via digests for reliable rollbacks and reproducibility.<\/li>\n<li><strong>Compatible with standard tooling<\/strong> such as Docker CLI and Kubernetes image pulls.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operational reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Centralized registry simplifies:<\/li>\n<li>Versioning and promotion workflows (dev \u2192 stage \u2192 prod)<\/li>\n<li>Incident response (identify exactly which image digest is deployed)<\/li>\n<li>Automation (CI systems can push\/pull consistently)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/compliance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IAM policies enforce least privilege (who can push vs who can pull).<\/li>\n<li>Audit trails help with compliance and incident investigation.<\/li>\n<li>Integration with vulnerability scanning (where enabled) supports image security posture checks.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Scalability\/performance reasons<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Pull performance generally benefits when your registry and compute are in the same region\/VPC proximity.<\/li>\n<li>You avoid bottlenecks of a single self-hosted registry node.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should choose it<\/h3>\n\n\n\n<p>Choose Oracle Cloud Container Registry when you:\n&#8211; Run workloads on <strong>OKE<\/strong> or <strong>Compute<\/strong> in Oracle Cloud and want a registry close to your runtime.\n&#8211; Need <strong>compartment-based isolation<\/strong> and OCI IAM governance.\n&#8211; Want a managed registry to reduce operational overhead.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">When teams should not choose it<\/h3>\n\n\n\n<p>Consider alternatives when:\n&#8211; You require a single <strong>global registry endpoint<\/strong> with built-in global replication guarantees and strict cross-region artifact SLAs that OCI Container Registry may not provide (verify current replication options).\n&#8211; You are locked into a different cloud ecosystem and egress\/latency makes OCI registry impractical.\n&#8211; Your organization mandates a particular enterprise registry platform (e.g., Artifactory\/Harbor) for multi-cloud governance and custom workflows.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">4. Where is Container Registry used?<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Industries<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SaaS and software companies shipping microservices<\/li>\n<li>Financial services, telecom, healthcare (where audit and access control matter)<\/li>\n<li>Retail and logistics (CI\/CD-driven deployments)<\/li>\n<li>Public sector (compartmentalized governance and access control)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Team types<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Platform engineering teams running Kubernetes platforms<\/li>\n<li>DevOps\/SRE teams managing CI\/CD and runtime reliability<\/li>\n<li>Application teams building containerized services<\/li>\n<li>Security engineering teams scanning and gating images<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Workloads<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Microservices and APIs<\/li>\n<li>Background workers and schedulers<\/li>\n<li>Web frontends packaged as containers<\/li>\n<li>Batch jobs and ETL processes<\/li>\n<li>Internal tools deployed to Kubernetes<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Architectures<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Kubernetes-based architectures (OKE + Ingress + service mesh)<\/li>\n<li>VM-based container workloads (Docker\/containerd on Compute instances)<\/li>\n<li>Hybrid architectures (on-prem CI building, OCI registry storing, OCI runtime pulling)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Real-world deployment contexts<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Multi-environment pipelines (dev\/stage\/prod)<\/li>\n<li>Multi-compartment separation (teams, projects, business units)<\/li>\n<li>Multi-region DR scenarios (registry strategy must be planned\u2014verify replication options)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Production vs dev\/test usage<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Dev\/test<\/strong>: rapid iteration, frequent pushes, \u201clatest\u201d tags (discouraged in production).<\/li>\n<li><strong>Production<\/strong>: immutable tags, digest pinning, scanning, retention policies, strict IAM.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">5. Top Use Cases and Scenarios<\/h2>\n\n\n\n<p>Below are realistic scenarios where Oracle Cloud Container Registry is a strong fit.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">1) Private microservices registry for OKE<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Kubernetes clusters need a secure place to pull private images.<\/li>\n<li><strong>Why it fits<\/strong>: OCI-native IAM, private repositories, regional proximity.<\/li>\n<li><strong>Example<\/strong>: An OKE cluster in <code>us-ashburn-1<\/code> pulls <code>us-ashburn-1.ocir.io\/&lt;namespace&gt;\/payments\/api:1.4.2<\/code>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">2) CI pipeline artifact store for container images<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: CI builds container images and needs a versioned, centralized distribution point.<\/li>\n<li><strong>Why it fits<\/strong>: Standard Docker login\/push workflows and IAM control.<\/li>\n<li><strong>Example<\/strong>: OCI DevOps (or Jenkins) builds and pushes <code>:commit-sha<\/code> tags for every merge.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">3) Image promotion across environments using tags<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Promoting builds from dev to prod reliably.<\/li>\n<li><strong>Why it fits<\/strong>: Re-tagging or digest pinning supports controlled promotion.<\/li>\n<li><strong>Example<\/strong>: Promote <code>:1.4.2-rc1<\/code> to <code>:1.4.2<\/code> after staging tests pass.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">4) Multi-team compartmentalized registry governance<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Different teams need isolation and least privilege.<\/li>\n<li><strong>Why it fits<\/strong>: Compartments + policies align to org structure.<\/li>\n<li><strong>Example<\/strong>: <code>TeamA-Compartment<\/code> and <code>TeamB-Compartment<\/code> each have their own repositories and policies.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">5) Secure distribution of internal base images<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Teams need a trusted hardened base image (e.g., minimal OS + approved libraries).<\/li>\n<li><strong>Why it fits<\/strong>: Centralized image source reduces supply-chain drift.<\/li>\n<li><strong>Example<\/strong>: Platform team publishes <code>base\/java17:2026.04<\/code> and all apps build FROM it.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6) Vulnerability scanning integration for image hygiene<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Security needs visibility into known CVEs in images.<\/li>\n<li><strong>Why it fits<\/strong>: OCI Vulnerability Scanning can scan images stored in the registry (verify enablement and scope).<\/li>\n<li><strong>Example<\/strong>: Security dashboard flags high CVEs; pipeline blocks release until patched.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">7) Pull-through caching strategy (when applicable)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: External registry rate limits or latency affects builds.<\/li>\n<li><strong>Why it fits<\/strong>: If OCI supports caching patterns for dependencies, it can reduce external dependency pressure (verify if native pull-through cache exists; otherwise use mirrored images).<\/li>\n<li><strong>Example<\/strong>: Mirror frequently used public images into Container Registry and reference them internally.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">8) Immutable release deployments using image digests<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Tags can be moved; production requires immutability.<\/li>\n<li><strong>Why it fits<\/strong>: Kubernetes supports <code>image@sha256:...<\/code> pulls for exact artifacts.<\/li>\n<li><strong>Example<\/strong>: Deploy <code>api@sha256:&lt;digest&gt;<\/code> to ensure reproducibility.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">9) Air-gapped-ish or controlled egress OCI environments<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Production VCNs restrict egress; images must come from controlled sources.<\/li>\n<li><strong>Why it fits<\/strong>: OCI-hosted registry can be reachable without broad internet access (network design required).<\/li>\n<li><strong>Example<\/strong>: Private subnets pull from OCI services via approved paths (verify Service Gateway\/NAT patterns for your region).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">10) Shared registry for ephemeral preview environments<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Each PR spins up an environment and needs images quickly.<\/li>\n<li><strong>Why it fits<\/strong>: Tag images per PR and clean up later.<\/li>\n<li><strong>Example<\/strong>: Push <code>:pr-1843<\/code> and delete after merge.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">11) Disaster recovery readiness (with planned strategy)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: A region outage requires redeploying images elsewhere.<\/li>\n<li><strong>Why it fits<\/strong>: OCI supports multi-region architectures; you can design an image distribution approach (verify native replication vs manual mirroring).<\/li>\n<li><strong>Example<\/strong>: Pipeline pushes to two regions or copies images periodically.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">12) Centralized registry for VM-hosted containers<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: Legacy apps run containers on VMs rather than Kubernetes.<\/li>\n<li><strong>Why it fits<\/strong>: Docker\/containerd on OCI Compute can authenticate and pull from Container Registry.<\/li>\n<li><strong>Example<\/strong>: A VM in private subnet pulls and runs <code>worker:2.0.1<\/code>.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">6. Core Features<\/h2>\n\n\n\n<blockquote>\n<p>Feature availability can differ by region and tenancy settings. Validate against the official docs for your environment.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">6.1 Repositories (private\/public)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Provides repositories to store related images.<\/li>\n<li><strong>Why it matters<\/strong>: Repositories are the unit of organization and access control.<\/li>\n<li><strong>Practical benefit<\/strong>: Separate <code>frontend<\/code>, <code>api<\/code>, <code>worker<\/code>, and <code>base<\/code> images with distinct permissions.<\/li>\n<li><strong>Caveats<\/strong>: Public repositories may have organizational risk; confirm governance and policy requirements.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.2 IAM integration (users, groups, policies, compartments)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Controls who can create repositories, push images, and pull images.<\/li>\n<li><strong>Why it matters<\/strong>: Prevents unauthorized publishing and reduces blast radius.<\/li>\n<li><strong>Practical benefit<\/strong>: CI can push; runtime can pull; developers can read-only.<\/li>\n<li><strong>Caveats<\/strong>: Policy verbs (<code>inspect\/read\/use\/manage<\/code>) and resource types must be correct\u2014verify in official IAM policy reference for Container Registry.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.3 Regional registry endpoints<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Serves images from a region-specific endpoint.<\/li>\n<li><strong>Why it matters<\/strong>: Improves pull latency when compute is in-region and simplifies network planning.<\/li>\n<li><strong>Practical benefit<\/strong>: Faster deploys and less cross-region traffic.<\/li>\n<li><strong>Caveats<\/strong>: Multi-region deployments require strategy for image distribution.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.4 Standard OCI image format support (OCI\/Docker)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Works with standard container tooling (Docker CLI, containerd).<\/li>\n<li><strong>Why it matters<\/strong>: Minimal tooling changes.<\/li>\n<li><strong>Practical benefit<\/strong>: Existing pipelines can push with <code>docker push<\/code>.<\/li>\n<li><strong>Caveats<\/strong>: Feature parity with every Docker Registry API extension is not guaranteed\u2014verify for any advanced integrations.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.5 Image tagging and digests<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Supports tags (<code>:v1<\/code>) and immutable digests (<code>@sha256:...<\/code>).<\/li>\n<li><strong>Why it matters<\/strong>: Tags are convenient; digests are reliable for production immutability.<\/li>\n<li><strong>Practical benefit<\/strong>: Use tags for humans, digests for deployment locks.<\/li>\n<li><strong>Caveats<\/strong>: Tag mutability can break rollbacks if teams overwrite tags.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.6 Access tokens for registry authentication (Auth Token)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Uses OCI user credentials + an <strong>Auth Token<\/strong> for Docker login flows.<\/li>\n<li><strong>Why it matters<\/strong>: Enables standard <code>docker login<\/code> while keeping IAM centrally managed.<\/li>\n<li><strong>Practical benefit<\/strong>: CI systems use auth tokens instead of storing console passwords.<\/li>\n<li><strong>Caveats<\/strong>: Token lifecycle and rotation are your responsibility; store tokens in a secrets manager.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.7 Audit and governance integration<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: OCI Audit can record API activity; tags can govern resources.<\/li>\n<li><strong>Why it matters<\/strong>: Compliance and accountability.<\/li>\n<li><strong>Practical benefit<\/strong>: Trace who changed repository visibility or pushed images (where captured).<\/li>\n<li><strong>Caveats<\/strong>: Not all data-plane operations may appear the same way as control-plane events\u2014verify audit coverage.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.8 Vulnerability scanning integration (via OCI Vulnerability Scanning)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Scans images for known vulnerabilities (CVE-based), depending on configuration.<\/li>\n<li><strong>Why it matters<\/strong>: Detects risky images before deployment.<\/li>\n<li><strong>Practical benefit<\/strong>: Security gates in CI\/CD and better inventory of vulnerabilities.<\/li>\n<li><strong>Caveats<\/strong>: Scanning frequency, supported OS\/package managers, and licensing\/enablement vary\u2014verify in official Vulnerability Scanning docs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.9 Console, CLI, and API management<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Manage repositories and images using OCI Console, OCI CLI, SDKs.<\/li>\n<li><strong>Why it matters<\/strong>: Automation and reproducibility.<\/li>\n<li><strong>Practical benefit<\/strong>: Infrastructure-as-code pipelines can manage registry resources.<\/li>\n<li><strong>Caveats<\/strong>: Image push\/pull uses Docker\/OCI registry protocols; repository management uses OCI APIs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">6.10 Compartment-based isolation<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>What it does<\/strong>: Repositories live in compartments, aligning with OCI\u2019s governance model.<\/li>\n<li><strong>Why it matters<\/strong>: Clean separation of environments and teams.<\/li>\n<li><strong>Practical benefit<\/strong>: Restrict prod repositories to a prod compartment with strict policies.<\/li>\n<li><strong>Caveats<\/strong>: Cross-compartment access needs explicit policies and operational discipline.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">7. Architecture and How It Works<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">High-level architecture<\/h3>\n\n\n\n<p>Container Registry has two main planes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Control plane<\/strong>: Repository management (create repo, set visibility, IAM\/policy relationships, compartment placement).<\/li>\n<li><strong>Data plane<\/strong>: Image layer transfer over registry protocols (push\/pull, manifests, blobs).<\/li>\n<\/ul>\n\n\n\n<p>A typical workflow:\n1. Developer\/CI builds an image locally or in CI.\n2. CI authenticates to the regional registry endpoint (Docker login with username + Auth Token).\n3. CI pushes image layers and manifest to the repository path.\n4. Runtime (OKE nodes, deployments, or VMs) authenticates and pulls the image.\n5. Optional: Vulnerability scanning scans stored images and reports findings.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Request\/data\/control flow<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Authentication<\/strong>: Docker registry login uses OCI user identity + Auth Token (or an equivalent method supported by OCI).<\/li>\n<li><strong>Authorization<\/strong>: OCI IAM policies determine whether the user can push\/pull\/manage repositories.<\/li>\n<li><strong>Network path<\/strong>: Push\/pull traffic goes to OCI\u2019s registry endpoint. Your environment may require NAT, Service Gateway, or allowed egress to the registry endpoint depending on your network design (verify recommended network patterns in OCI docs for your region).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Integrations with related services<\/h3>\n\n\n\n<p>Common integrations include:\n&#8211; <strong>Oracle Container Engine for Kubernetes (OKE)<\/strong>: Pull images for Deployments, StatefulSets, Jobs.\n&#8211; <strong>OCI DevOps<\/strong> (if used): Build pipelines and deployment pipelines.\n&#8211; <strong>OCI Identity and Access Management (IAM)<\/strong>: Users, groups, dynamic groups, policies.\n&#8211; <strong>OCI Vulnerability Scanning<\/strong>: Image scanning and reporting.\n&#8211; <strong>OCI Logging\/Audit\/Cloud Guard<\/strong>: Governance and security monitoring.\n&#8211; <strong>Vault<\/strong> (or external secrets): Store auth tokens and Kubernetes pull secrets.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Dependency services<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>IAM<\/strong> is foundational.<\/li>\n<li><strong>Compartments<\/strong> organize and isolate repos.<\/li>\n<li>For compute consumption, you\u2019ll typically also use <strong>OKE<\/strong> or <strong>Compute<\/strong>.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Security\/authentication model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Registry authentication commonly uses:<\/li>\n<li>OCI user + <strong>Auth Token<\/strong> for Docker login<\/li>\n<li>Appropriate IAM policies to access repositories<\/li>\n<li>For Kubernetes:<\/li>\n<li>Image pull secrets may be used, or OCI-native mechanisms depending on cluster configuration (verify your OKE version and recommended approach).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Networking model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Registry is accessed through a <strong>public OCI endpoint<\/strong> in the region.<\/li>\n<li>Private network access patterns depend on OCI capabilities and architecture (for example: whether Service Gateway supports registry endpoints in your region, or whether NAT is required). <strong>Verify in official docs<\/strong> for the latest guidance.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Monitoring\/logging\/governance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Track:<\/li>\n<li>repository creation and configuration changes (Audit)<\/li>\n<li>image scanning results (Vulnerability Scanning)<\/li>\n<li>CI logs for push failures<\/li>\n<li>Govern:<\/li>\n<li>naming and tagging<\/li>\n<li>retention policies and cleanup automation<\/li>\n<li>least privilege policies and token rotation<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Simple architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart LR\n  Dev[Developer \/ CI Runner] --&gt;|docker build| Img[Container Image]\n  Dev --&gt;|docker login + docker push| OCIR[Oracle Cloud Container Registry&lt;br\/&gt;Regional Endpoint]\n  OKE[OKE Cluster or Compute VM] --&gt;|docker pull \/ kubelet pull| OCIR\n  OCIR --&gt; Scan[OCI Vulnerability Scanning&lt;br\/&gt;(optional)]\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Production-style architecture diagram (Mermaid)<\/h3>\n\n\n\n<pre><code class=\"language-mermaid\">flowchart TB\n  subgraph DevSecOps[\"DevSecOps (OCI Tenancy)\"]\n    Git[Source Repo] --&gt; CI[Build Pipeline&lt;br\/&gt;(OCI DevOps \/ Jenkins)]\n    CI --&gt;|Build + Tag (commit SHA)| Img[Image Artifact]\n    CI --&gt;|Push| Reg[Container Registry&lt;br\/&gt;Private Repos]\n    Reg --&gt;|Scan results| VSS[OCI Vulnerability Scanning]\n    VSS --&gt;|Findings| SecDash[Security Dashboard&lt;br\/&gt;(Cloud Guard \/ Reports)]\n  end\n\n  subgraph Runtime[\"Runtime (Compute)\"]\n    subgraph VCN[\"VCN\"]\n      subgraph Private[\"Private Subnets\"]\n        OKE[OKE Worker Nodes] --&gt;|Pull image| Reg\n        Apps[Workloads\/Pods] --&gt; OKE\n      end\n      NAT[NAT Gateway \/ Approved Egress&lt;br\/&gt;(verify architecture)]:::note\n    end\n  end\n\n  Reg -. IAM Policies .-&gt; IAM[IAM: Users\/Groups\/Policies]\n  Reg -. Audit Events .-&gt; Audit[OCI Audit]\n  classDef note fill:#f6f6f6,stroke:#999,color:#333;\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">8. Prerequisites<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Tenancy and account requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>An active <strong>Oracle Cloud (OCI) tenancy<\/strong> with permission to use Container Registry in a region.<\/li>\n<li>Access to the OCI Console and (optionally) OCI CLI.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Permissions \/ IAM roles<\/h3>\n\n\n\n<p>You need IAM permissions to:\n&#8211; Create\/manage repositories in a compartment.\n&#8211; Push and pull images (which is typically governed by the same \u201crepo\u201d permissions).<\/p>\n\n\n\n<p>OCI IAM policy syntax is precise. Start with the official policy reference for Container Registry and adapt it. Common patterns often look like (verify resource types\/verbs in official docs):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Manage repositories:<\/li>\n<li><code>allow group &lt;group-name&gt; to manage repos in compartment &lt;compartment-name&gt;<\/code><\/li>\n<li>Pull images:<\/li>\n<li><code>allow group &lt;group-name&gt; to read repos in compartment &lt;compartment-name&gt;<\/code><\/li>\n<\/ul>\n\n\n\n<blockquote>\n<p><strong>Verify<\/strong> the correct resource type name (often <code>repos<\/code>) and the exact verb required for push\/pull in the latest Oracle Cloud docs for Container Registry and IAM policies.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Billing requirements<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Container Registry is a paid service based on <strong>storage and network<\/strong> usage (details in Pricing section).<\/li>\n<li>You may be able to use Oracle Cloud Free Tier credits depending on your account type\u2014verify eligibility.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Tools needed<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Docker<\/strong> installed locally (or another OCI-compatible container tool).<\/li>\n<li>Optional but recommended:<\/li>\n<li><strong>OCI CLI<\/strong>: for retrieving tenancy namespace and automating tasks.<ul>\n<li>CLI docs: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/SDKDocs\/cliinstall.htm (verify latest)<\/li>\n<\/ul>\n<\/li>\n<li><code>kubectl<\/code> if integrating with Kubernetes later.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Region availability<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Choose a region where Container Registry is available in your tenancy.<\/li>\n<li>Ensure your compute runtime (OKE\/VMs) is in the same region for best performance.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Quotas\/limits<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI applies service limits (for example, number of repositories, storage). Check:<\/li>\n<li>OCI service limits in Console for Container Registry<\/li>\n<li>Tenancy-level quotas<\/li>\n<li>Limits vary by region and tenancy; do not assume defaults.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Prerequisite services (common)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>IAM users\/groups\/policies<\/li>\n<li>(Optional) Vault\/Secrets management for CI tokens<\/li>\n<li>(Optional) Vulnerability Scanning if enabling scans<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">9. Pricing \/ Cost<\/h2>\n\n\n\n<blockquote>\n<p>OCI pricing changes over time and varies by region and contract. Use official pricing pages and your tenancy\u2019s cost reports. Do not rely on hard-coded numbers.<\/p>\n<\/blockquote>\n\n\n\n<h3 class=\"wp-block-heading\">Current pricing model (typical dimensions)<\/h3>\n\n\n\n<p>Oracle Cloud Container Registry costs are usually driven by:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>\n<p><strong>Storage consumed by images<\/strong><br\/>\n   &#8211; Charged per GB-month (or similar unit) based on the total stored layers\/manifests.\n   &#8211; Storage growth is often the primary long-term cost driver.<\/p>\n<\/li>\n<li>\n<p><strong>Network data transfer<\/strong>\n   &#8211; <strong>Ingress<\/strong> (uploading images) is often cheaper or free in many clouds, but <strong>verify OCI\u2019s policy<\/strong>.\n   &#8211; <strong>Egress<\/strong> (pulling images out of a region or to the internet) can incur charges.\n   &#8211; Cross-region pulls can introduce inter-region data transfer costs.<\/p>\n<\/li>\n<li>\n<p><strong>Associated services<\/strong>\n   &#8211; Vulnerability scanning may have its own pricing model or included quotas (verify).\n   &#8211; CI runners, build services, and Kubernetes\/VM compute resources are billed separately.<\/p>\n<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Free tier (if applicable)<\/h3>\n\n\n\n<p>Oracle Cloud has a Free Tier program, but eligibility and included services vary. <strong>Verify in official docs<\/strong> whether Container Registry storage or requests are included, and any limits.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Key cost drivers (practical)<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Number of image versions retained<\/strong> (tags) and frequency of rebuilds<\/li>\n<li><strong>Large base images<\/strong> and multi-arch images<\/li>\n<li><strong>Cross-region deployments<\/strong> pulling from a different region<\/li>\n<li><strong>CI pipelines that pull\/push repeatedly<\/strong> (especially if not caching build layers)<\/li>\n<li><strong>Keeping old, unused tags<\/strong> indefinitely<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Hidden or indirect costs<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>OKE node egress<\/strong> if pulling from another region or through NAT to public endpoints<\/li>\n<li><strong>Build environment costs<\/strong> (OCI DevOps build runners, compute instances)<\/li>\n<li><strong>Logging retention<\/strong> (if you ship logs to Logging\/Object Storage)<\/li>\n<li><strong>Security scanning<\/strong> costs (if billed separately)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network\/data transfer implications<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keep Container Registry and runtimes in the <strong>same region<\/strong> to reduce latency and transfer charges.<\/li>\n<li>If you require multi-region, consider <strong>explicit multi-region push<\/strong> strategies rather than constant cross-region pulls.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">How to optimize cost<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use <strong>image retention policies<\/strong> (if available) or automated cleanup jobs.<\/li>\n<li>Prefer <strong>small base images<\/strong> and multi-stage builds.<\/li>\n<li>Use <strong>unique tags<\/strong> per build, but prune aggressively (e.g., keep last N builds per branch).<\/li>\n<li>Avoid copying identical layers unnecessarily\u2014standard Docker layering helps.<\/li>\n<li>Pin production deployments by digest and keep a minimal set of release images.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Example low-cost starter estimate (no fabricated numbers)<\/h3>\n\n\n\n<p>A small lab setup typically includes:\n&#8211; 1\u20133 small images (tens to hundreds of MB each)\n&#8211; A handful of pushes\/pulls during the month\n&#8211; Minimal egress if everything stays in one region<\/p>\n\n\n\n<p>Your cost will mainly be:\n&#8211; <strong>a small amount of registry storage<\/strong>\n&#8211; <strong>negligible in-region pulls<\/strong>\n&#8211; plus whatever compute you run (VM\/OKE), billed separately<\/p>\n\n\n\n<p>Use:\n&#8211; OCI pricing page: https:\/\/www.oracle.com\/cloud\/pricing\/\n&#8211; OCI price list: https:\/\/www.oracle.com\/cloud\/price-list\/\n&#8211; OCI cost estimator: https:\/\/www.oracle.com\/cloud\/costestimator.html<\/p>\n\n\n\n<p>Search within the official price list for <strong>\u201cContainer Registry\u201d<\/strong> and confirm the SKU details for your region.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Example production cost considerations<\/h3>\n\n\n\n<p>In production, plan for:\n&#8211; Storage growth from CI producing many tags per service per day\n&#8211; Egress and inter-region transfer for DR\/multi-region\n&#8211; Vulnerability scanning at scale\n&#8211; Artifact retention to meet compliance (e.g., keep releases for 1\u20137 years)<\/p>\n\n\n\n<p>A common cost-control pattern is:\n&#8211; Keep <strong>release tags<\/strong> long-term\n&#8211; Keep <strong>build tags<\/strong> short-term (e.g., 7\u201330 days)\n&#8211; Mirror only what you need into secondary regions<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">10. Step-by-Step Hands-On Tutorial<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Objective<\/h3>\n\n\n\n<p>Build a small container image locally, create a private repository in Oracle Cloud Container Registry, authenticate using an Auth Token, <strong>push<\/strong> the image, then <strong>pull<\/strong> it back to verify end-to-end functionality. Finish by cleaning up resources to avoid ongoing costs.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Lab Overview<\/h3>\n\n\n\n<p>You will:\n1. Collect required OCI identifiers (region endpoint, tenancy namespace).\n2. Create a compartment and a private repository (Console).\n3. Create an Auth Token (Console).\n4. Build a tiny container image locally.\n5. Login to Container Registry with Docker and push the image.\n6. Verify in the OCI Console that the image exists.\n7. Pull the image back and run it locally.\n8. Cleanup (delete image\/repository and revoke token).<\/p>\n\n\n\n<p><strong>Expected time<\/strong>: 30\u201360 minutes<br\/>\n<strong>Cost<\/strong>: Low (storage and minimal network), but not zero\u2014clean up at the end.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 1: Choose region and gather tenancy namespace<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">1.1 Identify your registry endpoint (region-specific)<\/h4>\n\n\n\n<p>OCI Container Registry endpoints are regional. In many OCI examples, the endpoint format looks like:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>&lt;region-key&gt;.ocir.io<\/code><\/li>\n<\/ul>\n\n\n\n<p>Example (illustrative only): <code>us-ashburn-1.ocir.io<\/code><\/p>\n\n\n\n<p><strong>Action<\/strong>\n&#8211; In the OCI Console, confirm your region (top right).\n&#8211; In official Container Registry docs, confirm the correct endpoint for your region.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; You know your <strong>region key<\/strong> and registry endpoint hostname.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">1.2 Retrieve your tenancy namespace<\/h4>\n\n\n\n<p>OCI commonly uses a \u201cnamespace\u201d in the image path. This is often the same as the tenancy\u2019s Object Storage namespace.<\/p>\n\n\n\n<p><strong>Option A (Console)<\/strong>\n&#8211; Look up the tenancy namespace via OCI Console where namespaces are displayed (varies by UI; verify in docs).<\/p>\n\n\n\n<p><strong>Option B (OCI CLI)<\/strong>\nIf you have OCI CLI configured:<\/p>\n\n\n\n<pre><code class=\"language-bash\">oci os ns get\n<\/code><\/pre>\n\n\n\n<p>This returns something like:<\/p>\n\n\n\n<pre><code class=\"language-text\">{\n  \"data\": \"mytenancynamespace\"\n}\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; You have your namespace value, such as <code>mytenancynamespace<\/code>.<\/p>\n\n\n\n<blockquote>\n<p>If you can\u2019t access the namespace, confirm IAM permissions for Object Storage namespace retrieval or find the namespace in Console. Verify the recommended approach in official docs.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 2: Create a compartment (recommended for labs)<\/h3>\n\n\n\n<p>Compartments help you isolate resources and simplify cleanup.<\/p>\n\n\n\n<p><strong>Action (Console)<\/strong>\n1. Open OCI Console \u2192 <strong>Identity &amp; Security<\/strong> \u2192 <strong>Compartments<\/strong>\n2. Click <strong>Create Compartment<\/strong>\n3. Name: <code>lab-container-registry<\/code>\n4. Description: <code>Lab resources for Container Registry tutorial<\/code>\n5. Parent compartment: your root compartment (or appropriate parent)<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; A compartment named <code>lab-container-registry<\/code> exists.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 3: Create a private repository in Container Registry<\/h3>\n\n\n\n<p><strong>Action (Console)<\/strong>\n1. Open OCI Console \u2192 search for <strong>Container Registry<\/strong>\n2. Select your region (if prompted).\n3. Choose compartment: <code>lab-container-registry<\/code>\n4. Click <strong>Create Repository<\/strong>\n5. Repository name: <code>hello-ocir<\/code> (or <code>labs\/hello-ocir<\/code> if you want a path-style name)\n6. Visibility: <strong>Private<\/strong>\n7. Create<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; A private repository exists, and the console shows the repository details.\n&#8211; You can see the <strong>repository path format<\/strong> OCI expects (use that exact format).<\/p>\n\n\n\n<blockquote>\n<p>Note: Some registries auto-create repositories on push; OCI commonly prefers explicit repository creation for governance. Follow the official guidance for your tenancy settings.<\/p>\n<\/blockquote>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 4: Create an Auth Token for Docker login<\/h3>\n\n\n\n<p>OCI Container Registry commonly uses an <strong>Auth Token<\/strong> for Docker CLI authentication.<\/p>\n\n\n\n<p><strong>Action (Console)<\/strong>\n1. OCI Console \u2192 Profile menu (top right) \u2192 <strong>My Profile<\/strong> (or <strong>User settings<\/strong> in IAM)\n2. Find <strong>Auth Tokens<\/strong>\n3. Click <strong>Generate Token<\/strong>\n4. Description: <code>docker-login-lab<\/code>\n5. Copy the token value and store it securely (you will not be able to view it again)<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; You have an Auth Token string saved securely.<\/p>\n\n\n\n<p><strong>Security note<\/strong>\n&#8211; Treat the Auth Token like a password.\n&#8211; Do not paste it into tickets or commit it to git.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 5: Ensure IAM policies allow repository access<\/h3>\n\n\n\n<p>If you get authorization errors later, you likely need IAM policies.<\/p>\n\n\n\n<p><strong>Action<\/strong>\n&#8211; Ensure your user belongs to a group with permissions to manage\/push\/pull from repositories in <code>lab-container-registry<\/code>.<\/p>\n\n\n\n<p>A commonly needed policy set might include (verify exact policy syntax and required verbs in the official docs):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>For repository management (create\/update):<\/li>\n<li>\n<p><code>allow group &lt;group-name&gt; to manage repos in compartment lab-container-registry<\/code><\/p>\n<\/li>\n<li>\n<p>For pushing\/pulling images:<\/p>\n<\/li>\n<li>Some environments require <code>manage<\/code> or <code>use<\/code> on repos; confirm required permissions.<\/li>\n<li>Example (verify): <code>allow group &lt;group-name&gt; to read repos in compartment lab-container-registry<\/code><\/li>\n<\/ul>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; Your user can view and manage the repository and push\/pull images.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 6: Build a small container image locally<\/h3>\n\n\n\n<p>Create a minimal app and Dockerfile.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">6.1 Create files<\/h4>\n\n\n\n<pre><code class=\"language-bash\">mkdir -p hello-ocir &amp;&amp; cd hello-ocir\n<\/code><\/pre>\n\n\n\n<p>Create <code>app.py<\/code>:<\/p>\n\n\n\n<pre><code class=\"language-python\">from http.server import BaseHTTPRequestHandler, HTTPServer\n\nclass Handler(BaseHTTPRequestHandler):\n    def do_GET(self):\n        msg = b\"Hello from Oracle Cloud Container Registry!\\n\"\n        self.send_response(200)\n        self.send_header(\"Content-Type\", \"text\/plain\")\n        self.send_header(\"Content-Length\", str(len(msg)))\n        self.end_headers()\n        self.wfile.write(msg)\n\nif __name__ == \"__main__\":\n    HTTPServer((\"0.0.0.0\", 8080), Handler).serve_forever()\n<\/code><\/pre>\n\n\n\n<p>Create <code>Dockerfile<\/code>:<\/p>\n\n\n\n<pre><code class=\"language-dockerfile\">FROM python:3.12-slim\n\nWORKDIR \/app\nCOPY app.py \/app\/app.py\n\nEXPOSE 8080\nCMD [\"python\", \"\/app\/app.py\"]\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">6.2 Build the image<\/h4>\n\n\n\n<pre><code class=\"language-bash\">docker build -t hello-ocir:1.0 .\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; Docker build completes successfully.\n&#8211; You can list the image:<\/p>\n\n\n\n<pre><code class=\"language-bash\">docker images | grep hello-ocir\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 7: Tag the image for Oracle Cloud Container Registry<\/h3>\n\n\n\n<p>OCI image naming typically follows the pattern:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><code>&lt;region-endpoint&gt;\/&lt;namespace&gt;\/&lt;repo-name&gt;:&lt;tag&gt;<\/code><\/li>\n<\/ul>\n\n\n\n<p>Example (illustrative):\n&#8211; <code>us-ashburn-1.ocir.io\/mytenancynamespace\/hello-ocir:1.0<\/code><\/p>\n\n\n\n<p><strong>Action<\/strong>\nSet environment variables (replace with your values):<\/p>\n\n\n\n<pre><code class=\"language-bash\">export REGION_KEY=\"us-ashburn-1\"         # example; replace\nexport OCIR_ENDPOINT=\"${REGION_KEY}.ocir.io\"\nexport NAMESPACE=\"mytenancynamespace\"    # replace\nexport REPO=\"hello-ocir\"                 # repository name you created\nexport TAG=\"1.0\"\n\nexport IMAGE_LOCAL=\"hello-ocir:${TAG}\"\nexport IMAGE_REMOTE=\"${OCIR_ENDPOINT}\/${NAMESPACE}\/${REPO}:${TAG}\"\n\ndocker tag \"${IMAGE_LOCAL}\" \"${IMAGE_REMOTE}\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; <code>docker images<\/code> shows the same image with the remote tag.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 8: Docker login to Container Registry and push the image<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">8.1 Determine your Docker username format<\/h4>\n\n\n\n<p>OCI\u2019s Docker username format depends on your identity source (OCI IAM vs federation). Common patterns seen in Oracle docs include:\n&#8211; <code>&lt;namespace&gt;\/&lt;username&gt;<\/code>\n&#8211; Or (in some federated setups) a prefix such as <code>oracleidentitycloudservice\/&lt;username&gt;<\/code><\/p>\n\n\n\n<p><strong>Action<\/strong>\n&#8211; Follow the <strong>exact username format shown in the official Container Registry documentation for your identity type<\/strong>.<\/p>\n\n\n\n<p>Set:<\/p>\n\n\n\n<pre><code class=\"language-bash\">export DOCKER_USER=\"&lt;namespace&gt;\/&lt;your-oci-username&gt;\"  # verify required format\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">8.2 Login<\/h4>\n\n\n\n<pre><code class=\"language-bash\">docker login \"${OCIR_ENDPOINT}\" -u \"${DOCKER_USER}\"\n<\/code><\/pre>\n\n\n\n<p>When prompted for password, paste the <strong>Auth Token<\/strong> you generated.<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; <code>Login Succeeded<\/code><\/p>\n\n\n\n<h4 class=\"wp-block-heading\">8.3 Push<\/h4>\n\n\n\n<pre><code class=\"language-bash\">docker push \"${IMAGE_REMOTE}\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; Docker uploads layers and reports a pushed manifest.\n&#8211; You see output similar to:\n  &#8211; <code>pushed<\/code>\n  &#8211; <code>digest: sha256:...<\/code><\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 9: Verify the image in OCI Console<\/h3>\n\n\n\n<p><strong>Action (Console)<\/strong>\n1. OCI Console \u2192 <strong>Container Registry<\/strong>\n2. Compartment: <code>lab-container-registry<\/code>\n3. Open repository <code>hello-ocir<\/code>\n4. View images\/tags<\/p>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; You see tag <code>1.0<\/code> and the image digest.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Step 10: Pull and run the image locally (verification)<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">10.1 Remove local copy (to prove pull works)<\/h4>\n\n\n\n<pre><code class=\"language-bash\">docker rmi \"${IMAGE_REMOTE}\" || true\ndocker rmi \"${IMAGE_LOCAL}\" || true\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\">10.2 Pull from Container Registry<\/h4>\n\n\n\n<pre><code class=\"language-bash\">docker pull \"${IMAGE_REMOTE}\"\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; Pull completes successfully.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">10.3 Run<\/h4>\n\n\n\n<pre><code class=\"language-bash\">docker run --rm -p 8080:8080 \"${IMAGE_REMOTE}\"\n<\/code><\/pre>\n\n\n\n<p>In another terminal:<\/p>\n\n\n\n<pre><code class=\"language-bash\">curl -s http:\/\/localhost:8080\/\n<\/code><\/pre>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; Output:<\/p>\n\n\n\n<pre><code class=\"language-text\">Hello from Oracle Cloud Container Registry!\n<\/code><\/pre>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Validation<\/h3>\n\n\n\n<p>Use this checklist:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>[ ] <code>docker login &lt;region&gt;.ocir.io<\/code> succeeds<\/li>\n<li>[ ] <code>docker push<\/code> completes and prints a digest<\/li>\n<li>[ ] OCI Console shows repository tag <code>1.0<\/code><\/li>\n<li>[ ] <code>docker pull<\/code> works after deleting local images<\/li>\n<li>[ ] Running the container responds on <code>http:\/\/localhost:8080\/<\/code><\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Troubleshooting<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Problem: <code>unauthorized: authentication required<\/code><\/h4>\n\n\n\n<p>Common causes:\n&#8211; Wrong username format for OCI Container Registry login\n&#8211; Using OCI console password instead of Auth Token\n&#8211; Auth Token copied incorrectly (extra spaces)<\/p>\n\n\n\n<p>Fix:\n&#8211; Re-check official username format in OCI docs for your identity type.\n&#8211; Generate a new Auth Token and try again.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Problem: <code>denied: requested access to the resource is denied<\/code><\/h4>\n\n\n\n<p>Common causes:\n&#8211; IAM policies do not allow pushing\/pulling from the repository compartment.<\/p>\n\n\n\n<p>Fix:\n&#8211; Confirm your user is in the correct group.\n&#8211; Confirm the policy in the correct compartment (or tenancy scope).\n&#8211; Verify the exact policy syntax for Container Registry (<code>repos<\/code> resource type, correct verb).<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Problem: Push works, but OKE\/VM pull fails later<\/h4>\n\n\n\n<p>Common causes:\n&#8211; Runtime doesn\u2019t have credentials or policies.\n&#8211; Kubernetes imagePullSecret not configured.\n&#8211; Network egress restrictions prevent access to the registry endpoint.<\/p>\n\n\n\n<p>Fix:\n&#8211; For Kubernetes, configure an image pull secret (or OCI-supported native integration\u2014verify).\n&#8211; Confirm network path and egress rules.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">Problem: <code>no basic auth credentials<\/code><\/h4>\n\n\n\n<p>Cause:\n&#8211; Docker client is not logged in for that registry endpoint.<\/p>\n\n\n\n<p>Fix:\n&#8211; Run <code>docker login &lt;endpoint&gt;<\/code> again.\n&#8211; Check <code>~\/.docker\/config.json<\/code> for stored credentials.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h3 class=\"wp-block-heading\">Cleanup<\/h3>\n\n\n\n<p>To avoid ongoing charges and reduce security risk:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li><strong>Delete images<\/strong> in the repository (Console: repository \u2192 delete image versions).<\/li>\n<li><strong>Delete the repository<\/strong>:\n   &#8211; OCI Console \u2192 Container Registry \u2192 repository \u2192 delete<\/li>\n<li><strong>Revoke\/delete the Auth Token<\/strong> used for the lab:\n   &#8211; Profile \u2192 Auth Tokens \u2192 delete <code>docker-login-lab<\/code><\/li>\n<li>(Optional) <strong>Delete the compartment<\/strong> <code>lab-container-registry<\/code> (only if it contains no other resources).<\/li>\n<\/ol>\n\n\n\n<p><strong>Expected outcome<\/strong>\n&#8211; No remaining repositories\/images for this lab and no active token.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">11. Best Practices<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Architecture best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Keep registry and compute in the <strong>same region<\/strong> for latency and cost control.<\/li>\n<li>Use <strong>separate compartments<\/strong> for dev\/stage\/prod registries (or at least separate repositories with strict policies).<\/li>\n<li>Prefer <strong>digest pinning<\/strong> in production deployments.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">IAM\/security best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Grant least privilege:<\/li>\n<li>CI service account: push permissions<\/li>\n<li>Runtime identities: pull-only<\/li>\n<li>Developers: read-only where possible<\/li>\n<li>Use <strong>separate OCI users<\/strong> (or identities) for CI rather than personal accounts.<\/li>\n<li>Rotate Auth Tokens regularly and store them in a secrets manager.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Cost best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Implement retention:<\/li>\n<li>Keep last N build tags per branch<\/li>\n<li>Keep releases longer<\/li>\n<li>Avoid huge images:<\/li>\n<li>Use multi-stage builds<\/li>\n<li>Minimize layers and dependencies<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Performance best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Use consistent tagging to leverage layer caching in CI.<\/li>\n<li>Reduce base image churn.<\/li>\n<li>Avoid cross-region pulls for routine deployments.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Reliability best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Pin by digest for release deployments.<\/li>\n<li>Maintain rollback images for each service.<\/li>\n<li>Document your image promotion strategy (tagging conventions).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Operations best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Standardize naming:<\/li>\n<li><code>team\/service:version<\/code><\/li>\n<li><code>team\/service:commit-sha<\/code><\/li>\n<li>Use tags\/labels (OCI resource tags where applicable) for ownership and cost tracking.<\/li>\n<li>Monitor scanning findings and define an escalation path.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Governance\/tagging\/naming best practices<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enforce naming conventions for repositories:<\/li>\n<li><code>org\/team\/app<\/code><\/li>\n<li>Use OCI defined tags\/free-form tags for:<\/li>\n<li>cost center<\/li>\n<li>environment<\/li>\n<li>owner<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">12. Security Considerations<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Identity and access model<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Container Registry authorization is governed by OCI IAM:<\/li>\n<li>Compartments scope access boundaries.<\/li>\n<li>Policies define allowed actions on repositories.<\/li>\n<li>Use separate identities for:<\/li>\n<li>administrators<\/li>\n<li>CI publishers<\/li>\n<li>production pullers<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Encryption<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>OCI services typically encrypt data at rest using OCI-managed keys, with optional customer-managed keys in some services. <strong>Verify<\/strong> whether Container Registry supports customer-managed keys (Vault KMS) in your region and tenancy configuration.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Network exposure<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Registry endpoints are typically public regional endpoints.<\/li>\n<li>If your VCN restricts egress, ensure controlled access to registry endpoints.<\/li>\n<li>Avoid broad \u201callow all egress\u201d rules; explicitly allow required destinations per your security model (verify practical patterns in OCI networking docs).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secrets handling<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Store Auth Tokens in:<\/li>\n<li>OCI Vault (preferred where supported for secret storage)<\/li>\n<li>CI secret stores (GitHub Actions secrets, Jenkins credentials, etc.)<\/li>\n<li>Never store tokens in:<\/li>\n<li>Dockerfiles<\/li>\n<li>source code<\/li>\n<li>plaintext wiki pages<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Audit\/logging<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Enable and review OCI Audit logs for changes to repositories and policies.<\/li>\n<li>Track who created public repositories and when.<\/li>\n<li>Keep logs retained according to compliance needs.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Compliance considerations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ensure images don\u2019t contain:<\/li>\n<li>embedded credentials<\/li>\n<li>private keys<\/li>\n<li>license-prohibited components<\/li>\n<li>Use vulnerability scanning and SBOM practices (SBOM generation is typically an external tool; verify OCI\u2019s native capabilities in your environment).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Common security mistakes<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Using <code>:latest<\/code> for production deployments<\/li>\n<li>Sharing one Auth Token among many systems without rotation<\/li>\n<li>Making repositories public without approval<\/li>\n<li>Allowing developers to push directly into production repositories<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Secure deployment recommendations<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Separate \u201cbuild\u201d and \u201crelease\u201d repositories or enforce promotion gates.<\/li>\n<li>Require vulnerability scanning and block high-severity CVEs in CI gates.<\/li>\n<li>Use digest pinning for production.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">13. Limitations and Gotchas<\/h2>\n\n\n\n<blockquote>\n<p>These are common real-world issues; always verify current limitations in the official docs for your region.<\/p>\n<\/blockquote>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Regional nature<\/strong>: Images live behind regional endpoints; multi-region requires a strategy.<\/li>\n<li><strong>IAM policy precision<\/strong>: Small policy syntax mistakes cause <code>denied<\/code> errors; confirm correct verbs\/resource types.<\/li>\n<li><strong>Username format differences<\/strong>: Docker login username varies depending on identity source (OCI IAM vs federated). Verify the exact format.<\/li>\n<li><strong>Tag mutability<\/strong>: If your process allows retagging, tags can drift and break reproducibility.<\/li>\n<li><strong>Large image sizes<\/strong>: Big base images increase storage and pull time.<\/li>\n<li><strong>Cleanup is not automatic<\/strong>: Without retention, storage grows indefinitely.<\/li>\n<li><strong>Network restrictions<\/strong>: Private subnets may need NAT or approved access to registry endpoints (verify recommended OCI network patterns).<\/li>\n<li><strong>Kubernetes pull authentication<\/strong>: OKE workloads need pull credentials if repos are private; misconfigured imagePullSecrets are common.<\/li>\n<li><strong>Scanning coverage<\/strong>: Vulnerability scanning results depend on OS\/package manager support and configuration\u2014verify supported technologies.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">14. Comparison with Alternatives<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Nearest services in Oracle Cloud<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>OCI Artifacts (Artifact Registry)<\/strong> (if available in your tenancy): often used for generic artifacts (Maven\/npm\/Helm, etc.). Container Registry is specifically for container images. Verify the current OCI product lineup and recommended usage.<\/li>\n<li><strong>Object Storage<\/strong>: can store tarballs but is not a container registry (no tag\/digest workflows, no native docker pull).<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Nearest services in other clouds<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>AWS: Amazon ECR<\/li>\n<li>Azure: Azure Container Registry (ACR)<\/li>\n<li>Google Cloud: Artifact Registry \/ Container Registry (legacy in some contexts)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Open-source\/self-managed alternatives<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Harbor<\/li>\n<li>JFrog Artifactory (commercial, but often self-managed)<\/li>\n<li>Docker Registry (open-source)<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Comparison table<\/h4>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Option<\/th>\n<th>Best For<\/th>\n<th>Strengths<\/th>\n<th>Weaknesses<\/th>\n<th>When to Choose<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><strong>Oracle Cloud Container Registry<\/strong><\/td>\n<td>OCI-native container image storage for OKE\/Compute<\/td>\n<td>IAM + compartments, managed service, regional proximity to OCI compute<\/td>\n<td>Multi-region strategy may require extra planning; features vary by region<\/td>\n<td>You run workloads on OCI and want OCI governance + managed registry<\/td>\n<\/tr>\n<tr>\n<td><strong>OCI Artifacts (if used)<\/strong><\/td>\n<td>Non-container artifacts (and possibly containers depending on OCI service evolution)<\/td>\n<td>Unified artifact management for build outputs<\/td>\n<td>May not replace full container registry workflows in all cases (verify)<\/td>\n<td>You need a central artifact service for multiple artifact types<\/td>\n<\/tr>\n<tr>\n<td><strong>Self-managed Harbor<\/strong><\/td>\n<td>Enterprises needing custom policies, replication, and multi-cloud<\/td>\n<td>Rich policy engine, replication, integrated scanning options<\/td>\n<td>You manage uptime, scaling, patching; operational overhead<\/td>\n<td>You need deep customization, on-prem integration, or strict residency controls<\/td>\n<\/tr>\n<tr>\n<td><strong>AWS ECR<\/strong><\/td>\n<td>AWS-native deployments<\/td>\n<td>Tight AWS integrations, mature ecosystem<\/td>\n<td>Cross-cloud pulls add cost\/latency<\/td>\n<td>Your runtime is primarily on AWS<\/td>\n<\/tr>\n<tr>\n<td><strong>Azure ACR<\/strong><\/td>\n<td>Azure-native deployments<\/td>\n<td>Tight AKS integration, enterprise features<\/td>\n<td>Cross-cloud pulls add cost\/latency<\/td>\n<td>Your runtime is primarily on Azure<\/td>\n<\/tr>\n<tr>\n<td><strong>Google Artifact Registry<\/strong><\/td>\n<td>GCP-native deployments<\/td>\n<td>Unified artifacts + containers<\/td>\n<td>Cross-cloud pulls add cost\/latency<\/td>\n<td>Your runtime is primarily on GCP<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">15. Real-World Example<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Enterprise example: regulated microservices platform on OKE<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: A financial services organization runs dozens of microservices on OKE and must meet audit and least-privilege requirements. They need controlled image publishing and traceability.<\/li>\n<li><strong>Proposed architecture<\/strong><\/li>\n<li>Separate compartments: <code>dev<\/code>, <code>stage<\/code>, <code>prod<\/code><\/li>\n<li>Container Registry repositories per domain: <code>payments\/api<\/code>, <code>identity\/auth<\/code>, etc.<\/li>\n<li>CI publishes to dev repo; promotion pipeline re-tags or copies to prod repo after approvals<\/li>\n<li>Vulnerability scanning enabled; high CVEs block release<\/li>\n<li>OKE production clusters have pull-only permissions<\/li>\n<li><strong>Why Container Registry was chosen<\/strong><\/li>\n<li>OCI IAM and compartments fit the governance model<\/li>\n<li>Registry is managed, reducing operational burden<\/li>\n<li>Regional proximity improves pull performance<\/li>\n<li><strong>Expected outcomes<\/strong><\/li>\n<li>Faster, auditable deployments<\/li>\n<li>Reduced risk from unauthorized image pushes<\/li>\n<li>Standardized rollback using digests and retained release tags<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Startup\/small-team example: small SaaS with one OKE cluster<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Problem<\/strong>: A startup needs a simple registry to store images for a few services and deploy to a single OKE cluster with minimal overhead.<\/li>\n<li><strong>Proposed architecture<\/strong><\/li>\n<li>One compartment: <code>startup-prod<\/code><\/li>\n<li>One repo per service: <code>web<\/code>, <code>api<\/code>, <code>worker<\/code><\/li>\n<li>GitHub Actions builds and pushes tags <code>:main-&lt;sha&gt;<\/code> and <code>:release-&lt;version&gt;<\/code><\/li>\n<li>Simple cleanup job deletes old <code>main-*<\/code> tags beyond 14 days<\/li>\n<li><strong>Why Container Registry was chosen<\/strong><\/li>\n<li>Simple Docker workflow and OCI-managed service<\/li>\n<li>Easy alignment with OCI compute usage<\/li>\n<li><strong>Expected outcomes<\/strong><\/li>\n<li>Reliable deployments, minimal ops work<\/li>\n<li>Predictable costs controlled by retention and small images<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">16. FAQ<\/h2>\n\n\n\n<p>1) <strong>Is Oracle Cloud Container Registry the same as running Docker Registry on a VM?<\/strong><br\/>\nNo. Container Registry is a <strong>managed OCI service<\/strong> with IAM\/compartment integration. A self-hosted registry on a VM is fully your responsibility to secure, scale, patch, and back up.<\/p>\n\n\n\n<p>2) <strong>Is Container Registry regional or global?<\/strong><br\/>\nIt\u2019s typically used as a <strong>regional<\/strong> service with regional endpoints. Plan multi-region deployments explicitly.<\/p>\n\n\n\n<p>3) <strong>Do I need Kubernetes (OKE) to use Container Registry?<\/strong><br\/>\nNo. You can push\/pull images using Docker from laptops, CI systems, and Compute instances.<\/p>\n\n\n\n<p>4) <strong>How do I authenticate with Docker?<\/strong><br\/>\nCommonly via <code>docker login &lt;region&gt;.ocir.io<\/code> using an OCI username format and an <strong>Auth Token<\/strong> as the password. Username format can vary; verify in official docs.<\/p>\n\n\n\n<p>5) <strong>Can I make repositories public?<\/strong><br\/>\nOften yes, but you should treat public repos as a security and compliance decision. Verify tenancy policies and available repository visibility settings.<\/p>\n\n\n\n<p>6) <strong>How should I tag images?<\/strong><br\/>\nAvoid <code>latest<\/code> in production. Prefer <code>:vX.Y.Z<\/code> and <code>:commit-sha<\/code>, and consider digest pinning for production deployments.<\/p>\n\n\n\n<p>7) <strong>What is a digest and why use it?<\/strong><br\/>\nA digest (<code>sha256:...<\/code>) uniquely identifies an image content. Using digests prevents \u201ctag drift\u201d and increases deployment reproducibility.<\/p>\n\n\n\n<p>8) <strong>How do I control who can push images?<\/strong><br\/>\nUse OCI IAM policies and groups. Give push permissions only to CI identities or release engineers, not every developer.<\/p>\n\n\n\n<p>9) <strong>Can OKE pull from private repositories automatically?<\/strong><br\/>\nIt depends on cluster configuration and IAM setup. Often you must provide credentials (imagePullSecret) or configure OCI-supported identity mechanisms. Verify recommended approach for your OKE version.<\/p>\n\n\n\n<p>10) <strong>Does Container Registry support vulnerability scanning?<\/strong><br\/>\nOCI commonly supports scanning via <strong>OCI Vulnerability Scanning<\/strong> integrated with the registry. Availability and configuration vary\u2014verify in official docs.<\/p>\n\n\n\n<p>11) <strong>How do I reduce registry storage cost?<\/strong><br\/>\nUse retention\/cleanup for old tags, reduce image size, and keep only required release artifacts.<\/p>\n\n\n\n<p>12) <strong>What happens if I delete a tag?<\/strong><br\/>\nDeleting a tag can remove that reference to the image. Depending on implementation, blobs may remain until garbage collection policies apply (verify OCI behavior).<\/p>\n\n\n\n<p>13) <strong>Can I restrict registry access to private networks only?<\/strong><br\/>\nThe registry endpoint is typically public, but network design can restrict which subnets can reach it. Verify OCI-supported private access patterns for registry endpoints.<\/p>\n\n\n\n<p>14) <strong>How do I handle multi-region disaster recovery?<\/strong><br\/>\nPlan a strategy: push images to multiple regions, mirror images, or rebuild from source in the DR region. Verify OCI features for replication.<\/p>\n\n\n\n<p>15) <strong>What is the biggest operational gotcha?<\/strong><br\/>\nUncontrolled growth of tags\/images and poor IAM hygiene (shared tokens, broad permissions). Retention and least privilege solve most issues.<\/p>\n\n\n\n<p>16) <strong>Can I use Podman instead of Docker?<\/strong><br\/>\nIf Podman supports the standard OCI registry protocol and auth flow, it may work, but verify with OCI docs and test in your environment.<\/p>\n\n\n\n<p>17) <strong>Is Container Registry part of the Compute category?<\/strong><br\/>\nIt\u2019s often thought of as a \u201cdeveloper services\u201d component, but it directly supports <strong>Compute<\/strong> workloads by supplying deployable container images.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">17. Top Online Resources to Learn Container Registry<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Resource Type<\/th>\n<th>Name<\/th>\n<th>Why It Is Useful<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Official documentation<\/td>\n<td>OCI Container Registry docs: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Registry\/home.htm<\/td>\n<td>Primary reference for repositories, auth, endpoints, and IAM requirements<\/td>\n<\/tr>\n<tr>\n<td>Official IAM documentation<\/td>\n<td>OCI IAM overview: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Identity\/home.htm<\/td>\n<td>Understand compartments, groups, policies, and least privilege<\/td>\n<\/tr>\n<tr>\n<td>Official CLI documentation<\/td>\n<td>OCI CLI install\/config: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/API\/SDKDocs\/cliinstall.htm<\/td>\n<td>Automate namespace lookup and OCI operations<\/td>\n<\/tr>\n<tr>\n<td>Official pricing<\/td>\n<td>Oracle Cloud Pricing: https:\/\/www.oracle.com\/cloud\/pricing\/<\/td>\n<td>Entry point for pricing model and links to price list<\/td>\n<\/tr>\n<tr>\n<td>Official price list<\/td>\n<td>Oracle Cloud Price List: https:\/\/www.oracle.com\/cloud\/price-list\/<\/td>\n<td>Find \u201cContainer Registry\u201d SKUs and region-dependent pricing<\/td>\n<\/tr>\n<tr>\n<td>Official cost estimator<\/td>\n<td>OCI Cost Estimator: https:\/\/www.oracle.com\/cloud\/costestimator.html<\/td>\n<td>Build cost scenarios without guessing<\/td>\n<\/tr>\n<tr>\n<td>Official security scanning<\/td>\n<td>OCI Vulnerability Scanning docs (start page): https:\/\/docs.oracle.com\/en-us\/iaas\/scanning\/home.htm (verify)<\/td>\n<td>Configure image scanning and interpret findings<\/td>\n<\/tr>\n<tr>\n<td>Official Kubernetes service<\/td>\n<td>OKE docs: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/ContEng\/home.htm<\/td>\n<td>Learn how OKE pulls images and how to configure auth<\/td>\n<\/tr>\n<tr>\n<td>Official Audit<\/td>\n<td>OCI Audit docs: https:\/\/docs.oracle.com\/en-us\/iaas\/Content\/Audit\/home.htm<\/td>\n<td>Track changes to repositories and policies for compliance<\/td>\n<\/tr>\n<tr>\n<td>Learning labs\/tutorials<\/td>\n<td>Oracle \u201cLearn\u201d tutorials: https:\/\/docs.oracle.com\/en\/learn\/<\/td>\n<td>Hands-on labs across OCI services (search for Container Registry\/OCIR)<\/td>\n<\/tr>\n<tr>\n<td>Videos<\/td>\n<td>Oracle Cloud Infrastructure YouTube: https:\/\/www.youtube.com\/@OracleCloudInfrastructure<\/td>\n<td>Product walkthroughs and best practices (search for OCIR\/Container Registry)<\/td>\n<\/tr>\n<tr>\n<td>Community (reputable)<\/td>\n<td>OCI architecture blog and community posts (verify sources)<\/td>\n<td>Practical patterns and troubleshooting tips; cross-check with official docs<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">18. Training and Certification Providers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Institute<\/th>\n<th>Suitable Audience<\/th>\n<th>Likely Learning Focus<\/th>\n<th>Mode<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps engineers, SREs, platform teams<\/td>\n<td>CI\/CD, containers, Kubernetes, OCI practices<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>ScmGalaxy.com<\/td>\n<td>Beginners to intermediate DevOps learners<\/td>\n<td>SCM, build\/release pipelines, DevOps fundamentals<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.scmgalaxy.com\/<\/td>\n<\/tr>\n<tr>\n<td>CLoudOpsNow.in<\/td>\n<td>CloudOps\/operations teams<\/td>\n<td>Cloud operations, automation, monitoring<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.cloudopsnow.in\/<\/td>\n<\/tr>\n<tr>\n<td>SreSchool.com<\/td>\n<td>SREs, reliability-focused engineers<\/td>\n<td>SRE principles, operations, incident response<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.sreschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>AiOpsSchool.com<\/td>\n<td>Ops + automation learners<\/td>\n<td>AIOps concepts, automation, monitoring analytics<\/td>\n<td>Check website<\/td>\n<td>https:\/\/www.aiopsschool.com\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">19. Top Trainers<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Platform\/Site<\/th>\n<th>Likely Specialization<\/th>\n<th>Suitable Audience<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>RajeshKumar.xyz<\/td>\n<td>DevOps\/cloud training content (verify offerings)<\/td>\n<td>Beginners to working engineers<\/td>\n<td>https:\/\/rajeshkumar.xyz\/<\/td>\n<\/tr>\n<tr>\n<td>devopstrainer.in<\/td>\n<td>DevOps coaching\/training (verify offerings)<\/td>\n<td>DevOps practitioners<\/td>\n<td>https:\/\/www.devopstrainer.in\/<\/td>\n<\/tr>\n<tr>\n<td>devopsfreelancer.com<\/td>\n<td>Freelance DevOps enablement (verify offerings)<\/td>\n<td>Teams needing short-term help<\/td>\n<td>https:\/\/www.devopsfreelancer.com\/<\/td>\n<\/tr>\n<tr>\n<td>devopssupport.in<\/td>\n<td>DevOps support\/training resources (verify offerings)<\/td>\n<td>Operations and support engineers<\/td>\n<td>https:\/\/www.devopssupport.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">20. Top Consulting Companies<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>Company<\/th>\n<th>Likely Service Area<\/th>\n<th>Where They May Help<\/th>\n<th>Consulting Use Case Examples<\/th>\n<th>Website URL<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>cotocus.com<\/td>\n<td>Cloud\/DevOps consulting (verify service catalog)<\/td>\n<td>Architecture, CI\/CD, container platforms<\/td>\n<td>Container image governance, pipeline hardening, OKE deployment patterns<\/td>\n<td>https:\/\/cotocus.com\/<\/td>\n<\/tr>\n<tr>\n<td>DevOpsSchool.com<\/td>\n<td>DevOps consulting and training (verify service catalog)<\/td>\n<td>DevOps transformation, tooling, automation<\/td>\n<td>Registry strategy, IAM best practices, CI\/CD rollout, operational runbooks<\/td>\n<td>https:\/\/www.devopsschool.com\/<\/td>\n<\/tr>\n<tr>\n<td>DEVOPSCONSULTING.IN<\/td>\n<td>DevOps consulting (verify service catalog)<\/td>\n<td>Implementation support and optimization<\/td>\n<td>Container supply-chain security, registry cleanup automation, cost optimization<\/td>\n<td>https:\/\/www.devopsconsulting.in\/<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">21. Career and Learning Roadmap<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn before Container Registry<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Container fundamentals:<\/li>\n<li>Docker\/OCI images, layers, tags vs digests<\/li>\n<li>Basic Docker CLI workflows (<code>build<\/code>, <code>tag<\/code>, <code>push<\/code>, <code>pull<\/code>, <code>run<\/code>)<\/li>\n<li>OCI foundations:<\/li>\n<li>Tenancies, compartments, regions<\/li>\n<li>IAM users\/groups\/policies<\/li>\n<li>Basic networking (VCN, subnets, egress design)<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">What to learn after Container Registry<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Kubernetes on OCI (OKE):<\/li>\n<li>Deployments, Services, Ingress<\/li>\n<li>Image pull secrets and workload identity patterns<\/li>\n<li>CI\/CD:<\/li>\n<li>OCI DevOps or third-party tools<\/li>\n<li>Promotion strategies and release automation<\/li>\n<li>Security:<\/li>\n<li>Vulnerability scanning, SBOM generation, signing (e.g., cosign\u2014external)<\/li>\n<li>Secret management (OCI Vault)<\/li>\n<li>Observability:<\/li>\n<li>Logging, metrics, tracing, audit analysis<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Job roles that use it<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Cloud\/DevOps Engineer<\/li>\n<li>Platform Engineer<\/li>\n<li>SRE<\/li>\n<li>Kubernetes Administrator<\/li>\n<li>Security Engineer (container security \/ DevSecOps)<\/li>\n<li>Solutions Architect<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Certification path (if available)<\/h3>\n\n\n\n<p>Oracle\u2019s certification catalog changes. Start here and search for OCI\/DevOps\/Kubernetes tracks:\n&#8211; https:\/\/education.oracle.com\/ (verify current OCI certification paths)<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Project ideas for practice<\/h3>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Build a multi-service app and push images with commit SHA tags.<\/li>\n<li>Add a cleanup script to delete tags older than N days (using OCI APIs\/CLI where supported).<\/li>\n<li>Deploy from Container Registry to OKE using digest pinning.<\/li>\n<li>Enable vulnerability scanning and create a simple \u201cfail build if critical CVEs\u201d gate.<\/li>\n<li>Implement a two-compartment model (dev\/prod) with strict IAM and promotion workflow.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">22. Glossary<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Auth Token<\/strong>: An OCI-generated token used like a password for authenticating tooling such as Docker to OCI services.<\/li>\n<li><strong>Compartment<\/strong>: OCI\u2019s logical container for organizing and isolating cloud resources with policies.<\/li>\n<li><strong>Container image<\/strong>: A packaged filesystem + metadata used to run containers (OCI\/Docker format).<\/li>\n<li><strong>Digest<\/strong>: A cryptographic hash (e.g., <code>sha256:...<\/code>) identifying exact image content.<\/li>\n<li><strong>Docker login<\/strong>: Command that stores credentials locally for a registry endpoint.<\/li>\n<li><strong>Egress<\/strong>: Network traffic leaving a region\/VCN to another region or the internet, often billed.<\/li>\n<li><strong>IAM policy<\/strong>: A rule defining what actions a group\/dynamic group can perform on resources in a scope.<\/li>\n<li><strong>Namespace<\/strong>: A tenancy-level identifier used in OCI registry image paths (often aligned with Object Storage namespace; verify).<\/li>\n<li><strong>OKE<\/strong>: Oracle Container Engine for Kubernetes, OCI\u2019s managed Kubernetes service.<\/li>\n<li><strong>Repository<\/strong>: A named collection of container images (tags\/digests) within a registry.<\/li>\n<li><strong>Tag<\/strong>: A human-readable label for an image version (e.g., <code>:1.0<\/code>, <code>:commit-sha<\/code>).<\/li>\n<li><strong>Tenancy<\/strong>: Your top-level OCI account boundary containing compartments, IAM, and resources.<\/li>\n<li><strong>Vulnerability scanning<\/strong>: Automated analysis to detect known vulnerabilities (CVEs) in images.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">23. Summary<\/h2>\n\n\n\n<p>Oracle Cloud <strong>Container Registry<\/strong> is OCI\u2019s managed service for storing and distributing container images that power <strong>Compute<\/strong> workloads such as <strong>OKE<\/strong> clusters and <strong>Compute instances<\/strong>. It matters because it becomes the controlled \u201csource of truth\u201d for deployable artifacts: images are versioned, access-controlled with IAM, auditable, and close to your runtime for performance.<\/p>\n\n\n\n<p>Cost is primarily driven by <strong>image storage growth<\/strong> and <strong>data transfer<\/strong>, especially cross-region or internet egress. Security depends on <strong>least-privilege IAM<\/strong>, safe handling and rotation of <strong>Auth Tokens<\/strong>, and (where enabled) <strong>vulnerability scanning<\/strong> to reduce supply-chain risk.<\/p>\n\n\n\n<p>Use Container Registry when you want OCI-native governance and a managed registry tightly aligned to OCI compute. Next steps: integrate it into a CI\/CD pipeline, enable scanning, and deploy images to OKE using digest pinning for production-grade reliability.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Compute<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26,62],"tags":[],"class_list":["post-869","post","type-post","status-publish","format-standard","hentry","category-compute","category-oracle-cloud"],"_links":{"self":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/869","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/comments?post=869"}],"version-history":[{"count":0,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/posts\/869\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/media?parent=869"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/categories?post=869"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.devopsschool.com\/tutorials\/wp-json\/wp\/v2\/tags?post=869"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}