Hello and welcome to this lesson on managing Oracle Cloud Infrastructure registry. My name is Mahindra Meela and I am a Senior Training deed and evangelist with Oracle University. Managing OCIR can be done in three ways. Starting with managing the repository itself, followed by managing the majors within the repository, and last but not the least, managing the overall security of your repository alongside the images. Let's understand each one in more detail. You can create an empty repository in a compartment and give it a name that's unique across all the compartments in the entire tenancy. There is a limit to the number of repositories you can have in a given region in a tenancy. When you no longer need a repository, it makes sense to delete it from the Oracle Cloud Infrastructure registry. Make a note that when you delete a repository, it can take up to 48 hours for the deletion to take effect and for the storage to actually be released. When you create a new repository in Oracle Cloud Infrastructure registry, you specify the compartment in which you want to create it. Having created the repository in one compartment, you can subsequently move it to a different compartment. The reasons can be many. It can be to change the users who are authorized to use the repository or to change how the billing for our repository is charged. Let's have a look at how to manage images. You can view the images stored on OCIR using the OCI console or using docker images command from your docker client after logging in into the OCIR repo. To push an image, you first use the docker tag command to create a copy of the local source image as a new image. As a name for the new image, you specify the fully qualified path to the target location in your container registry where you want to push the image, including the name of a repository. In order to pull an image, you must be logged in into the OCIR registry using the autoToken and use the docker pull command followed by fully qualified name of the image you wish to download on your docker client. When you no longer need an old image or you simply want to clean up the list of image tags in a repository you can delete images from the Oracle Cloud Infrastructure registry. You can undelete an image you've previously deleted for up to 48 hours after you deleted it. After that time, the image is permanently removed from the container registry. You can set up image retention policies to automatically delete images that meet particular selection criteria. Criteria can be images that have not been pulled for a certain number of days or images that have not been tagged for a certain number of days. It can also be images that have not been given particular docker tags specified as exempt from the automatic deletion. There's only process that checks images against the selection criteria and any that meet the selection criteria are automatically deleted. In each region in a tenancy, there is a global image retention policy. The default criteria of the policy is to retain all images so that no images are automatically deleted. However, you can change the global image retention policy so that the images are deleted if they meet certain criteria that you specified. A region is global image retention policy applies to all the repository within that region unless it is explicitly overwritten by one or more custom image retention policies. Only one custom image retention policy at a time can be applied to a repository. If a repository has already been added to a customer retention policy and you want to add repository to a different customer retention policy, you have to remove the policy from the first retention policy before adding it to the second one. Make a note, the global image retention policy are specific to a particular region. To delete images consistently in different regions in your tenancy, you need to set up image retention policies in each region with identical selection criteria. If you want to prevent images from being deleted on the basis of docker tags they've been given, you need to specify those tags as exempt in a comma separated list. When you want to clean up the list of images in our repository without actually deleting the images, you can remove the tags from the images in OCIR. Removing images is referred to as untagging. During the deployment of an application to a Kubernetes cluster, you'll typically want one or more images to be pulled from a docker registry. In the application's manifest file, you specify the image that you wish to pull, the registry to pull them from and the credentials to use when pulling the images. If you want the application to pull images that reside within the container registry, you will have to perform two steps. The first one is you have to use the Kubectl to create a docker registry secret. The secret contains Oracle Cloud Infrastructure credentials to use when pulling the image. The next step is you have to specify the image to pull from the container registry including the repository location and the docker registry secret to use in the application's manifest file. While managing security, you are given fine-grained control over the operations that users are allowed to perform on repositories within the container registry. Using the concept of users and groups, you can control repository access by setting up identity access management policies at the tenancy and at the compartment level. These are example of some of the policies that you can use to control access to your container registry. You can write policies to allow inspect, read, use, and manage operations on the repository based on the requirements. Before you can push and pull docker images to and from the the container registry, you must already have an Oracle Cloud Infrastructure username and an authentication token. It is not uncommon for the operating system packages included in images to have vulnerabilities. Managing these vulnerabilities enables you to strengthen the security posture of your system and respond quickly when new vulnerabilities are discovered. You can set up Oracle Cloud Infrastructure registry to scan images in a repository for security vulnerabilities published in the publicly available common vulnerabilities and exposures databases. To perform image scanning container registry makes use of the Oracle Cloud Infrastructure vulnerability scanning service and vulnerability scanning rest API. You need to define certain policies for scanning images for vulnerabilities. Policies like to allow the vulnerability scanning service to read the repositories within your tenancy or the compartment. Again, policy like to allow vulnerability scanning service to read compartments within your tenancy, but any pattern compartment where you're managing your repository. Preparing for container registry. Before you can push and pull docker images to and from Oracle Cloud Infrastructure registry, you need to have the following in place. The first thing is your tenancy must be subscribed to one or more of the regions in which the container registry is available. You can check the same within the Oracle documentation. The next thing is you need to have access to the docker command line interface to push and pull images on your local machine. The third thing is, users must belong to a group to which a policy grounds the appropriate permission or belong to a tenancy's administrator group, which by default have access permissions on the container registry. Lastly, user must already have an Oracle Cloud Infrastructure username and an authentication token, which enables them to perform operations on the container registry. To wrap up, in this lesson, we covered OCIR in greater details and learned how to manage OCIR along with required IM policies. We also understood the scanning image security feature to detect vulnerabilities earlier in the software development life cycle. I hope you found this lesson useful. See you in the next one. Thanks for watching.
