{"id":1960,"date":"2026-02-15T11:16:33","date_gmt":"2026-02-15T11:16:33","guid":{"rendered":"https:\/\/sreschool.com\/blog\/oci\/"},"modified":"2026-02-15T11:16:33","modified_gmt":"2026-02-15T11:16:33","slug":"oci","status":"publish","type":"post","link":"https:\/\/sreschool.com\/blog\/oci\/","title":{"rendered":"What is OCI? Meaning, Architecture, Examples, Use Cases, and How to Measure It (2026 Guide)"},"content":{"rendered":"\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">Quick Definition (30\u201360 words)<\/h2>\n\n\n\n<p>OCI is the Open Container Initiative, an industry standards project that defines container image and runtime formats for portability. Analogy: OCI is like the shipping container standard for software containers. Formal technical line: OCI specifies image manifest, image layout, and runtime-specs for interoperable containers.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">What is OCI?<\/h2>\n\n\n\n<p>OCI is the Open Container Initiative, an open standards effort originally hosted to standardize container image formats and runtimes so different tools interoperate. It is not a runtime implementation, a vendor product, or a cloud provider API; rather it is a specification set and reference tooling.<\/p>\n\n\n\n<p>Key properties and constraints:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Specification-driven: formats and runtime behavior are defined via specs.<\/li>\n<li>Minimal surface: focuses on image layout, manifests, and runtime configuration.<\/li>\n<li>Interoperability-first: enables images and runtimes to be portable.<\/li>\n<li>Extensible but conservative: additions go via proposal processes.<\/li>\n<li>Governance: maintained by a standards-style working group model.<\/li>\n<\/ul>\n\n\n\n<p>Where it fits in modern cloud\/SRE workflows:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Developer builds produce OCI-compliant images for CI\/CD.<\/li>\n<li>Registries store OCI images for deployment pipelines.<\/li>\n<li>Runtimes use OCI runtime-spec to execute images consistently.<\/li>\n<li>Observability and security tools inspect OCI artifacts for scanning and verification.<\/li>\n<li>SREs rely on OCI compatibility to roll across heterogeneous runtime environments.<\/li>\n<\/ul>\n\n\n\n<p>Text-only \u201cdiagram description\u201d readers can visualize:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Developer -&gt; Build -&gt; OCI image (manifest + layers) -&gt; Push to registry -&gt; CI\/CD picks image -&gt; Orchestrator (k8s or runtime) pulls image -&gt; OCI runtime executes container -&gt; Observability &amp; security agents inspect image and runtime.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">OCI in one sentence<\/h3>\n\n\n\n<p>OCI defines the standard container image format and runtime specification so images run uniformly across compliant tools and platforms.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">OCI vs related terms (TABLE REQUIRED)<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>ID<\/th>\n<th>Term<\/th>\n<th>How it differs from OCI<\/th>\n<th>Common confusion<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>T1<\/td>\n<td>Docker image<\/td>\n<td>Docker images predate OCI; can be OCI-compatible<\/td>\n<td>People conflate Docker engine with OCI spec<\/td>\n<\/tr>\n<tr>\n<td>T2<\/td>\n<td>OCI image<\/td>\n<td>The spec artifact; not a runtime<\/td>\n<td>Some call any container image an OCI image<\/td>\n<\/tr>\n<tr>\n<td>T3<\/td>\n<td>OCI runtime-spec<\/td>\n<td>Runtime behavior contract<\/td>\n<td>Mistaken for a full runtime like runc<\/td>\n<\/tr>\n<tr>\n<td>T4<\/td>\n<td>runc<\/td>\n<td>A runtime implementation that follows OCI runtime-spec<\/td>\n<td>Believed to be the only runtime<\/td>\n<\/tr>\n<tr>\n<td>T5<\/td>\n<td>Containerd<\/td>\n<td>Runtime and image management daemon<\/td>\n<td>Confused with low-level OCI spec<\/td>\n<\/tr>\n<tr>\n<td>T6<\/td>\n<td>Kubernetes<\/td>\n<td>Orchestrator that uses images and runtimes<\/td>\n<td>Confuse k8s API with OCI standards<\/td>\n<\/tr>\n<tr>\n<td>T7<\/td>\n<td>OCI registry<\/td>\n<td>A registry storing OCI images<\/td>\n<td>Often think registry enforces OCI conformance<\/td>\n<\/tr>\n<tr>\n<td>T8<\/td>\n<td>Image manifest<\/td>\n<td>Part of OCI spec for describing image<\/td>\n<td>Mistaken for runtime configuration<\/td>\n<\/tr>\n<tr>\n<td>T9<\/td>\n<td>OpenShift<\/td>\n<td>Distribution that runs containers<\/td>\n<td>Mistaken as spec maintainer<\/td>\n<\/tr>\n<tr>\n<td>T10<\/td>\n<td>CRI<\/td>\n<td>Kubernetes Container Runtime Interface<\/td>\n<td>Thought to replace OCI runtime-spec<\/td>\n<\/tr>\n<tr>\n<td>T11<\/td>\n<td>OCI Distribution<\/td>\n<td>Spec for image distribution<\/td>\n<td>Confused with vendor product names<\/td>\n<\/tr>\n<tr>\n<td>T12<\/td>\n<td>AppArmor<\/td>\n<td>Kernel security module<\/td>\n<td>Not an OCI spec element<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Row Details (only if any cell says \u201cSee details below\u201d)<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>None<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">Why does OCI matter?<\/h2>\n\n\n\n<p>Business impact:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Revenue: Faster delivery and multi-cloud portability reduce time-to-market.<\/li>\n<li>Trust: Standardized artifacts reduce integration risk with partners and vendors.<\/li>\n<li>Risk reduction: Standards lower vendor lock-in and incompatibilities.<\/li>\n<\/ul>\n\n\n\n<p>Engineering impact:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Incident reduction: Predictable image behavior reduces runtime surprises.<\/li>\n<li>Velocity: Developers can rely on a consistent build-&gt;run contract, accelerating CI\/CD.<\/li>\n<li>Tooling economy: Security scanners, registries, and orchestrators interoperate.<\/li>\n<\/ul>\n\n\n\n<p>SRE framing:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SLIs\/SLOs: Use image pull success rate and start time as SLIs.<\/li>\n<li>Error budgets: Account for deploy failures sourced from non-compliant images.<\/li>\n<li>Toil: Standards reduce repetitive debugging across environments.<\/li>\n<li>On-call: Clear artifact provenance helps first responders triage faster.<\/li>\n<\/ul>\n\n\n\n<p>3\u20135 realistic \u201cwhat breaks in production\u201d examples:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Image incompatible with runtime flags causing startup failures.<\/li>\n<li>Broken image manifest that a registry refuses to serve.<\/li>\n<li>Layer corruption during transfer triggering runtime errors.<\/li>\n<li>Runtime privilege escalation due to misinterpreted spec fields.<\/li>\n<li>Security scanner misses a vulnerable layer due to non-standard layout.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">Where is OCI used? (TABLE REQUIRED)<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>ID<\/th>\n<th>Layer\/Area<\/th>\n<th>How OCI appears<\/th>\n<th>Typical telemetry<\/th>\n<th>Common tools<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>L1<\/td>\n<td>Build system<\/td>\n<td>Produces OCI images<\/td>\n<td>Build success rate and size<\/td>\n<td>Buildkit, Kaniko<\/td>\n<\/tr>\n<tr>\n<td>L2<\/td>\n<td>Registry<\/td>\n<td>Stores OCI artifacts<\/td>\n<td>Push\/pull latency and failures<\/td>\n<td>Harbor, Nexus<\/td>\n<\/tr>\n<tr>\n<td>L3<\/td>\n<td>Orchestrator<\/td>\n<td>Pulls images for workloads<\/td>\n<td>Image pull times and restarts<\/td>\n<td>Kubernetes, Nomad<\/td>\n<\/tr>\n<tr>\n<td>L4<\/td>\n<td>Runtime<\/td>\n<td>Executes OCI runtime-spec<\/td>\n<td>Container start\/exit codes<\/td>\n<td>runc, crun<\/td>\n<\/tr>\n<tr>\n<td>L5<\/td>\n<td>CI\/CD<\/td>\n<td>Promotes OCI images between stages<\/td>\n<td>Promotion failures and artifacts<\/td>\n<td>Jenkins, GitHub Actions<\/td>\n<\/tr>\n<tr>\n<td>L6<\/td>\n<td>Security scanning<\/td>\n<td>Scans OCI images<\/td>\n<td>Scan time and vulnerability counts<\/td>\n<td>Trivy, Clair<\/td>\n<\/tr>\n<tr>\n<td>L7<\/td>\n<td>Observability<\/td>\n<td>Traces and metrics from containers<\/td>\n<td>Resource usage and logs<\/td>\n<td>Prometheus, Grafana<\/td>\n<\/tr>\n<tr>\n<td>L8<\/td>\n<td>Serverless\/PaaS<\/td>\n<td>Runs OCI images for functions<\/td>\n<td>Cold start and concurrency<\/td>\n<td>Knative, AWS Fargate<\/td>\n<\/tr>\n<tr>\n<td>L9<\/td>\n<td>Edge devices<\/td>\n<td>Pulls OCI images for edge workloads<\/td>\n<td>Update success and bandwidth<\/td>\n<td>balena, Mender<\/td>\n<\/tr>\n<tr>\n<td>L10<\/td>\n<td>Artifact signing<\/td>\n<td>Verifies image provenance<\/td>\n<td>Signature verification success<\/td>\n<td>cosign, Notary<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Row Details (only if needed)<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>None<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">When should you use OCI?<\/h2>\n\n\n\n<p>When it\u2019s necessary:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>You need portable container images across registries and runtimes.<\/li>\n<li>Multiple teams or vendors must share artifacts reliably.<\/li>\n<li>You operate at scale with diverse runtime implementations.<\/li>\n<\/ul>\n\n\n\n<p>When it\u2019s optional:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Small single-host projects that never move off a single runtime.<\/li>\n<li>Prototyping where speed matters more than long-term portability.<\/li>\n<\/ul>\n\n\n\n<p>When NOT to use \/ overuse it:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Treating OCI as a full security policy substitute; it standardizes formats but not supply-chain policies.<\/li>\n<li>Using OCI image format for monolithic artifacts that should be packaged differently.<\/li>\n<\/ul>\n\n\n\n<p>Decision checklist:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>If you need portability and multi-runtime support -&gt; adopt OCI images and runtime-spec.<\/li>\n<li>If you need advanced distro-specific features -&gt; evaluate compatibility layer.<\/li>\n<li>If you run serverless managed services -&gt; confirm they accept OCI images.<\/li>\n<\/ul>\n\n\n\n<p>Maturity ladder:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Beginner: Produce OCI-compliant images; use hosted registry.<\/li>\n<li>Intermediate: Enforce signing, scanning, and CI pipeline checks.<\/li>\n<li>Advanced: Automated attestation, reproducible builds, multi-arch, SBOMs and policy-as-code.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">How does OCI work?<\/h2>\n\n\n\n<p>Components and workflow:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Image format: content-addressable layers, config JSON, and manifests.<\/li>\n<li>Distribution: registry protocols that serve manifest and layers.<\/li>\n<li>Runtime-spec: JSON config for namespaces, mounts, cgroups, and hooks.<\/li>\n<li>Runtimes: implementations read runtime-spec and execute container processes.<\/li>\n<li>Tooling: builders, registries, runtimes, and security tools all interoperate using the specs.<\/li>\n<\/ul>\n\n\n\n<p>Data flow and lifecycle:<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Developer builds layers from filesystem diffs.<\/li>\n<li>Builder creates image config and manifest referencing layer digests.<\/li>\n<li>Image pushed to registry via OCI distribution protocol.<\/li>\n<li>Orchestrator pulls manifest and layers, validates digests.<\/li>\n<li>Runtime instantiates container using runtime-spec configuration.<\/li>\n<li>Observability and security tools inspect image and attach to runtime.<\/li>\n<\/ol>\n\n\n\n<p>Edge cases and failure modes:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Partial push leaves registry with incomplete content.<\/li>\n<li>Digest mismatches due to storage corruption.<\/li>\n<li>Runtime hook misconfiguration preventing proper isolation.<\/li>\n<li>Cross-architecture images pulled on incompatible hosts.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Typical architecture patterns for OCI<\/h3>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Single-repo microservice: each service produces tagged OCI images; use CI pipeline to push.<\/li>\n<li>Multi-arch builds: buildx or cross-tool to produce manifests with multiple architectures.<\/li>\n<li>Immutable deployments: images are immutable artifacts promoted across environments.<\/li>\n<li>Trusted supply chain: signed and attested images with SBOMs and policy gates.<\/li>\n<li>Serverless container deployments: stateless functions packaged as OCI images.<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Failure modes &amp; mitigation (TABLE REQUIRED)<\/h3>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>ID<\/th>\n<th>Failure mode<\/th>\n<th>Symptom<\/th>\n<th>Likely cause<\/th>\n<th>Mitigation<\/th>\n<th>Observability signal<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>F1<\/td>\n<td>Image pull fails<\/td>\n<td>Pod stuck in ImagePullBackOff<\/td>\n<td>Registry auth or network<\/td>\n<td>Check creds, network, cache<\/td>\n<td>Pull error events<\/td>\n<\/tr>\n<tr>\n<td>F2<\/td>\n<td>Manifest mismatch<\/td>\n<td>Runtime rejects image<\/td>\n<td>Corrupt manifest or digest<\/td>\n<td>Re-push image, verify digests<\/td>\n<td>Digest mismatch logs<\/td>\n<\/tr>\n<tr>\n<td>F3<\/td>\n<td>Cold start latency<\/td>\n<td>Slow start times<\/td>\n<td>Large image size or IO<\/td>\n<td>Use slim images, preload<\/td>\n<td>Start time histogram<\/td>\n<\/tr>\n<tr>\n<td>F4<\/td>\n<td>Privilege escape<\/td>\n<td>Container sees host resources<\/td>\n<td>Misconfigured namespaces<\/td>\n<td>Harden runtime config<\/td>\n<td>Seccomp\/AppArmor denials<\/td>\n<\/tr>\n<tr>\n<td>F5<\/td>\n<td>Layer corruption<\/td>\n<td>Runtime crash on layer read<\/td>\n<td>Storage fault<\/td>\n<td>Rebuild and validate layers<\/td>\n<td>Read errors in registries<\/td>\n<\/tr>\n<tr>\n<td>F6<\/td>\n<td>Scan misses vuln<\/td>\n<td>Post-deploy exploit<\/td>\n<td>Scanner blind spots<\/td>\n<td>Multi-scanner, SBOM<\/td>\n<td>Vulnerability delta metrics<\/td>\n<\/tr>\n<tr>\n<td>F7<\/td>\n<td>Multi-arch mismatch<\/td>\n<td>Wrong arch image pulled<\/td>\n<td>Incorrect manifest list<\/td>\n<td>Fix manifest, retag<\/td>\n<td>Node architecture mismatch<\/td>\n<\/tr>\n<tr>\n<td>F8<\/td>\n<td>Incomplete push<\/td>\n<td>Missing layers on pull<\/td>\n<td>Network timeout during push<\/td>\n<td>Retry logic, resumable uploads<\/td>\n<td>Push error codes<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Row Details (only if needed)<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>None<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">Key Concepts, Keywords &amp; Terminology for OCI<\/h2>\n\n\n\n<p>Glossary (40+ terms). Each entry: Term \u2014 definition \u2014 why it matters \u2014 common pitfall<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>OCI image \u2014 Standard container image format \u2014 Enables portability \u2014 Confused with Docker-only images  <\/li>\n<li>OCI runtime-spec \u2014 JSON for runtime configuration \u2014 Ensures consistent runtime semantics \u2014 Mistaken for full runtime  <\/li>\n<li>Manifest \u2014 Descriptor of image layers \u2014 Required for pulling images \u2014 Altered manifests break integrity  <\/li>\n<li>Layer \u2014 Filesystem diff in image \u2014 Efficient storage and transfer \u2014 Overuse causes large images  <\/li>\n<li>Config JSON \u2014 Image metadata and cmd \u2014 Determines runtime process \u2014 Wrong entrypoint leads to failure  <\/li>\n<li>Content-addressable storage \u2014 Digest-based storage \u2014 Ensures integrity \u2014 Digest mismatches block deploys  <\/li>\n<li>Registry \u2014 Stores OCI artifacts \u2014 Central distribution point \u2014 Private registries need auth config  <\/li>\n<li>Distribution spec \u2014 Protocol for push\/pull \u2014 Interoperability for registries \u2014 Not all registries fully implement it  <\/li>\n<li>runc \u2014 Reference OCI runtime implementation \u2014 Common runtime used by containerd \u2014 Not the only runtime  <\/li>\n<li>crun \u2014 Lightweight runtime alternative \u2014 Better performance in some envs \u2014 Different feature set from runc  <\/li>\n<li>containerd \u2014 Runtime daemon and image manager \u2014 Core in many stacks \u2014 Confused with Kubernetes CRI  <\/li>\n<li>buildkit \u2014 Advanced builder for OCI images \u2014 Efficient caching \u2014 Requires CI integration  <\/li>\n<li>Kaniko \u2014 Builder that runs in-cluster \u2014 Useful for building without Docker daemon \u2014 Slower on large images  <\/li>\n<li>Multi-arch \u2014 Support for multiple CPU architectures \u2014 Important for cross-platform deploys \u2014 Manifest complexity  <\/li>\n<li>Manifest list \u2014 Multi-arch manifest pointer \u2014 Simplifies multi-arch pulls \u2014 Can be mis-tagged  <\/li>\n<li>Signature \u2014 Cryptographic attestation of image \u2014 Enables trust and provenance \u2014 Unverified signatures are useless  <\/li>\n<li>cosign \u2014 Tool for signing images \u2014 Integrates into CI\/CD \u2014 Requires key management  <\/li>\n<li>Notary \u2014 Content trust framework \u2014 Verifies signed artifacts \u2014 Operational complexity with keys  <\/li>\n<li>SBOM \u2014 Software bill of materials \u2014 Lists components of an image \u2014 Not universally enforced yet  <\/li>\n<li>Reproducible build \u2014 Deterministic image creation \u2014 Improves provenance \u2014 Hard to achieve for all deps  <\/li>\n<li>Image scanning \u2014 Vulnerability inspection \u2014 Reduces security risk \u2014 False negatives occur  <\/li>\n<li>Trivy \u2014 Lightweight scanner \u2014 Fast and popular \u2014 DB freshness matters  <\/li>\n<li>Clair \u2014 Server-based scanner \u2014 Integrates with registries \u2014 Management overhead  <\/li>\n<li>Layer caching \u2014 Reuse of build artifacts \u2014 Speeds CI builds \u2014 Cache invalidation issues  <\/li>\n<li>Entrypoint \u2014 Primary process of container \u2014 Controls container lifecycle \u2014 Mis-specified leads to silent exits  <\/li>\n<li>CMD \u2014 Default args for entrypoint \u2014 Useful for overrides \u2014 Confused with entrypoint behavior  <\/li>\n<li>Healthcheck \u2014 Runtime probe for container health \u2014 Enables orchestration restarts \u2014 Improper probes mask issues  <\/li>\n<li>Image pull policy \u2014 When images are fetched \u2014 Affects immutability and caching \u2014 Always pull can cause outages  <\/li>\n<li>Immutable tags \u2014 Never reassign tags to same name \u2014 Prevents drift \u2014 People still overwrite latest tags  <\/li>\n<li>Digest pinning \u2014 Use content digest to pin images \u2014 Ensures exact artifact \u2014 Harder to read and manage manually  <\/li>\n<li>OCI layout \u2014 Filesystem layout for images \u2014 Useful for offline import\/export \u2014 Not commonly used by SREs  <\/li>\n<li>Runtime hooks \u2014 Lifecycle commands run by runtime \u2014 For instrumentation or cleanup \u2014 Misuse breaks isolation  <\/li>\n<li>Seccomp \u2014 Syscall filter profile \u2014 Reduces attack surface \u2014 Block legitimate syscalls if too strict  <\/li>\n<li>AppArmor \u2014 Kernel-level sandboxing \u2014 Adds security \u2014 Distribution-specific profiles  <\/li>\n<li>cgroups \u2014 Resource control primitives \u2014 Prevent noisy neighbors \u2014 Misconfiguration leads to OOMs  <\/li>\n<li>Namespaces \u2014 Linux isolation primitives \u2014 Fundamental to container isolation \u2014 Not a substitute for VMs in some cases  <\/li>\n<li>OCI Distribution \u2014 Spec for pushing\/pulling artifacts \u2014 Baseline of registry behavior \u2014 Not identical to Docker Hub API  <\/li>\n<li>Image signing policy \u2014 Org rule for trusting images \u2014 Enforces provenance \u2014 Key management complexity  <\/li>\n<li>Provenance \u2014 Build metadata linking source to artifact \u2014 Important for audits \u2014 Must be preserved in CI  <\/li>\n<li>Attestation \u2014 Assertion about artifact properties \u2014 Enables supply chain security \u2014 Needs verification tooling  <\/li>\n<li>Rebase \u2014 Replace base layer without rebuild \u2014 Useful for patching \u2014 Tooling support varies  <\/li>\n<li>Garbage collection \u2014 Cleaning unused images\/layers \u2014 Saves storage \u2014 Aggressive GC breaks active deployments  <\/li>\n<li>Pull-through cache \u2014 Local registry cache for remote images \u2014 Reduces latency \u2014 Cache staleness risk  <\/li>\n<li>On-demand downloading \u2014 Lazy fetch of layers \u2014 Speeds startup for some workloads \u2014 May cause runtime IO spikes  <\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">How to Measure OCI (Metrics, SLIs, SLOs) (TABLE REQUIRED)<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>ID<\/th>\n<th>Metric\/SLI<\/th>\n<th>What it tells you<\/th>\n<th>How to measure<\/th>\n<th>Starting target<\/th>\n<th>Gotchas<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>M1<\/td>\n<td>Image pull success rate<\/td>\n<td>Reliability of distribution<\/td>\n<td>Successful pulls \/ total pulls<\/td>\n<td>99.9%<\/td>\n<td>Counts retries as successes<\/td>\n<\/tr>\n<tr>\n<td>M2<\/td>\n<td>Image pull latency P95<\/td>\n<td>Time to retrieve image<\/td>\n<td>Measure from pull start to complete<\/td>\n<td>&lt;2s for cached<\/td>\n<td>Large images skew percentiles<\/td>\n<\/tr>\n<tr>\n<td>M3<\/td>\n<td>Container start time<\/td>\n<td>Time from create to running<\/td>\n<td>Runtime event timestamps<\/td>\n<td>&lt;1s warm, &lt;3s cold<\/td>\n<td>Cold starts differ by env<\/td>\n<\/tr>\n<tr>\n<td>M4<\/td>\n<td>Vulnerable packages per image<\/td>\n<td>Security exposure<\/td>\n<td>Scanner vulnerability count<\/td>\n<td>Goal: 0 critical<\/td>\n<td>Scanner coverage varies<\/td>\n<\/tr>\n<tr>\n<td>M5<\/td>\n<td>Signed image rate<\/td>\n<td>Percent images signed<\/td>\n<td>Signed pushes \/ total pushes<\/td>\n<td>100% for prod<\/td>\n<td>Signatures require key mgmt<\/td>\n<\/tr>\n<tr>\n<td>M6<\/td>\n<td>SBOM availability<\/td>\n<td>Provenance completeness<\/td>\n<td>SBOM present boolean<\/td>\n<td>100% in prod<\/td>\n<td>Formats vary between tools<\/td>\n<\/tr>\n<tr>\n<td>M7<\/td>\n<td>Reproducible build rate<\/td>\n<td>Rebuild parity<\/td>\n<td>Bit-for-bit equality checks<\/td>\n<td>Aim: &gt;90%<\/td>\n<td>External deps reduce parity<\/td>\n<\/tr>\n<tr>\n<td>M8<\/td>\n<td>Image size distribution<\/td>\n<td>Impact on network and startup<\/td>\n<td>Size histogram per image<\/td>\n<td>Keep &lt;100MB typical<\/td>\n<td>Some apps need larger sizes<\/td>\n<\/tr>\n<tr>\n<td>M9<\/td>\n<td>Manifest validation errors<\/td>\n<td>Integrity issues<\/td>\n<td>Registry validation logs<\/td>\n<td>0 per day<\/td>\n<td>Corrupt pushes common in bad networks<\/td>\n<\/tr>\n<tr>\n<td>M10<\/td>\n<td>Registry error rate<\/td>\n<td>Registry reliability<\/td>\n<td>5xx responses \/ total<\/td>\n<td>&lt;0.1%<\/td>\n<td>Spikes during GC or upgrades<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Row Details (only if needed)<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>None<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Best tools to measure OCI<\/h3>\n\n\n\n<h4 class=\"wp-block-heading\">Tool \u2014 Prometheus + exporters<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What it measures for OCI: Pull times, registry metrics, runtime metrics<\/li>\n<li>Best-fit environment: Kubernetes and containerized infra<\/li>\n<li>Setup outline:<\/li>\n<li>Install node and registry exporters<\/li>\n<li>Scrape containerd\/runtime metrics endpoint<\/li>\n<li>Create serviceMonitors for registries<\/li>\n<li>Define recording rules for SLIs<\/li>\n<li>Hook to Alertmanager<\/li>\n<li>Strengths:<\/li>\n<li>Flexible, high cardinality<\/li>\n<li>Wide ecosystem for exporters<\/li>\n<li>Limitations:<\/li>\n<li>Operational overhead at scale<\/li>\n<li>Long-term storage needs extra components<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Tool \u2014 Grafana<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What it measures for OCI: Dashboards and visualizations of metrics<\/li>\n<li>Best-fit environment: Any metric store environment<\/li>\n<li>Setup outline:<\/li>\n<li>Connect to Prometheus<\/li>\n<li>Build panels for SLIs<\/li>\n<li>Create alerting rules or integrate with Alertmanager<\/li>\n<li>Strengths:<\/li>\n<li>Customizable dashboards<\/li>\n<li>Enterprise plugins for auth<\/li>\n<li>Limitations:<\/li>\n<li>Visualization only, needs data sources<\/li>\n<li>Dashboard drift without governance<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Tool \u2014 Trivy<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What it measures for OCI: Vulnerability scanning of images<\/li>\n<li>Best-fit environment: CI pipelines, registries<\/li>\n<li>Setup outline:<\/li>\n<li>Add scanning step in CI<\/li>\n<li>Cache vulnerability DB<\/li>\n<li>Fail builds on high severity<\/li>\n<li>Strengths:<\/li>\n<li>Fast and simple<\/li>\n<li>Supports SBOM generation<\/li>\n<li>Limitations:<\/li>\n<li>DB freshness impacts results<\/li>\n<li>May miss some vulnerability sources<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Tool \u2014 cosign<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What it measures for OCI: Image signing and verification<\/li>\n<li>Best-fit environment: CI\/CD with signing policies<\/li>\n<li>Setup outline:<\/li>\n<li>Generate keys or use KMS<\/li>\n<li>Sign images in CI<\/li>\n<li>Enforce verification in runtime admission<\/li>\n<li>Strengths:<\/li>\n<li>Integrates with SIGSTORE ecosystem<\/li>\n<li>Supports attestation<\/li>\n<li>Limitations:<\/li>\n<li>Key rotation and storage concerns<\/li>\n<li>Operational processes required<\/li>\n<\/ul>\n\n\n\n<h4 class=\"wp-block-heading\">Tool \u2014 Harbor<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>What it measures for OCI: Registry metrics and vulnerability scans<\/li>\n<li>Best-fit environment: Enterprise registries<\/li>\n<li>Setup outline:<\/li>\n<li>Deploy Harbor with DB and storage<\/li>\n<li>Enable scanner integration<\/li>\n<li>Configure projects and policies<\/li>\n<li>Strengths:<\/li>\n<li>Enterprise features like RBAC and replication<\/li>\n<li>Built-in scanning integration<\/li>\n<li>Limitations:<\/li>\n<li>Operational complexity<\/li>\n<li>Resource overhead<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Recommended dashboards &amp; alerts for OCI<\/h3>\n\n\n\n<p>Executive dashboard:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Panels: Image push success rate, signed image percent, mean image size, registry uptime.<\/li>\n<li>Why: Provide leadership with health and risk posture at a glance.<\/li>\n<\/ul>\n\n\n\n<p>On-call dashboard:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Panels: Current pull failures, P95 pull latency, container start-time heatmap, recent manifest validation errors.<\/li>\n<li>Why: Rapid triage of deployment issues affecting service availability.<\/li>\n<\/ul>\n\n\n\n<p>Debug dashboard:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Panels: Per-node image cache hits, layer download trace, registry storage errors, runtime hook logs.<\/li>\n<li>Why: Deep diagnostic data for engineers troubleshooting edge cases.<\/li>\n<\/ul>\n\n\n\n<p>Alerting guidance:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Page vs ticket: Page on service-impacting SLO breaches (e.g., image pull success below threshold), ticket for infra maintenance windows and non-urgent scan findings.<\/li>\n<li>Burn-rate guidance: Alert when error budget consumption exceeds 2x baseline burn rate over one hour.<\/li>\n<li>Noise reduction tactics: Dedupe by error fingerprinting, group alerts by service and region, suppression during known maintenance windows.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">Implementation Guide (Step-by-step)<\/h2>\n\n\n\n<p>1) Prerequisites\n&#8211; CI system with artifact storage, access to registry, signing keys or KMS, chosen scanners, and observability stack.<\/p>\n\n\n\n<p>2) Instrumentation plan\n&#8211; Instrument builders to emit build metadata and SBOMs.\n&#8211; Expose registry metrics and runtime metrics.\n&#8211; Create probes for image pull and start-time.<\/p>\n\n\n\n<p>3) Data collection\n&#8211; Centralize metrics in Prometheus or managed equivalent.\n&#8211; Store logs for registries and runtimes in a searchable store.\n&#8211; Persist SBOM and attestation artifacts with images.<\/p>\n\n\n\n<p>4) SLO design\n&#8211; Define SLIs from metrics table (e.g., pull success rate).\n&#8211; Set SLOs based on business needs and historical data.\n&#8211; Allocate error budgets by environment.<\/p>\n\n\n\n<p>5) Dashboards\n&#8211; Build executive, on-call, and debug dashboards.\n&#8211; Create templated views for services and regions.<\/p>\n\n\n\n<p>6) Alerts &amp; routing\n&#8211; Map alerts to escalation policies.\n&#8211; Configure suppression for deployments.\n&#8211; Implement paging thresholds tied to SLOs.<\/p>\n\n\n\n<p>7) Runbooks &amp; automation\n&#8211; Create runbooks for common failures (pull errors, signature failures).\n&#8211; Automate remediation for transient errors (cache priming, retry policies).<\/p>\n\n\n\n<p>8) Validation (load\/chaos\/game days)\n&#8211; Run image-pull storm tests and network partition scenarios.\n&#8211; Conduct game days simulating registry outages and signing key compromise.<\/p>\n\n\n\n<p>9) Continuous improvement\n&#8211; Review incidents for supply-chain causes.\n&#8211; Iterate SLOs and refine monitoring and automation.<\/p>\n\n\n\n<p>Checklists:<\/p>\n\n\n\n<p>Pre-production checklist:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>All images are signed and SBOMs stored.<\/li>\n<li>Registry access and permissions validated.<\/li>\n<li>CI builds reproducible on sample runs.<\/li>\n<li>Alerts configured for pull failures.<\/li>\n<li>Documentation and runbooks present.<\/li>\n<\/ul>\n\n\n\n<p>Production readiness checklist:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SLOs validated with historical data.<\/li>\n<li>Scaling policies for registry and storage tested.<\/li>\n<li>Automated key rotation policy in place.<\/li>\n<li>Latency thresholds and cache warming validated.<\/li>\n<li>Backup and disaster recovery for registry configured.<\/li>\n<\/ul>\n\n\n\n<p>Incident checklist specific to OCI:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Triage: Confirm if issue is registry, network, or image artifact.<\/li>\n<li>Verify: Check manifest digests and layer availability.<\/li>\n<li>Mitigate: Redirect pulls to cached registry or fallback tag.<\/li>\n<li>Remediate: Rebuild and repush artifact if corrupted.<\/li>\n<li>Postmortem: Capture root cause, timeline, and preventive actions.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">Use Cases of OCI<\/h2>\n\n\n\n<p>Provide 8\u201312 use cases:<\/p>\n\n\n\n<p>1) Multi-cloud deployment\n&#8211; Context: Deploy same service across clouds.\n&#8211; Problem: Different runtimes and registries.\n&#8211; Why OCI helps: Standard image format across clouds.\n&#8211; What to measure: Pull success rate across regions.\n&#8211; Typical tools: Multi-arch manifests, cosign.<\/p>\n\n\n\n<p>2) CI\/CD immutable artifacts\n&#8211; Context: Promote artifacts through stages.\n&#8211; Problem: Tag drift and accidental overwrites.\n&#8211; Why OCI helps: Use digests to pin immutability.\n&#8211; What to measure: Digest-based deployment success.\n&#8211; Typical tools: Buildkit, containerd.<\/p>\n\n\n\n<p>3) Secure supply chain\n&#8211; Context: Regulatory requirements for provenance.\n&#8211; Problem: Hard to prove artifact origin.\n&#8211; Why OCI helps: Supports signing and SBOM attachment.\n&#8211; What to measure: Signed image percentage.\n&#8211; Typical tools: cosign, SBOM generators.<\/p>\n\n\n\n<p>4) Edge device updates\n&#8211; Context: Deploy containers to IoT devices.\n&#8211; Problem: Intermittent bandwidth and varied arch.\n&#8211; Why OCI helps: Multi-arch images and resumable pushes.\n&#8211; What to measure: Update success and rollback rate.\n&#8211; Typical tools: Pull-through cache, manifest lists.<\/p>\n\n\n\n<p>5) Serverless containerization\n&#8211; Context: Run functions as containers.\n&#8211; Problem: Cold starts and image size constraints.\n&#8211; Why OCI helps: Optimized images and reproducible builds.\n&#8211; What to measure: Cold start time and invocation latency.\n&#8211; Typical tools: Knative, slim base images.<\/p>\n\n\n\n<p>6) Incident response artifact replay\n&#8211; Context: Reproduce production bug locally.\n&#8211; Problem: Image drift or missing metadata.\n&#8211; Why OCI helps: Reproducible build and SBOM enable accurate replay.\n&#8211; What to measure: Reproducibility rate.\n&#8211; Typical tools: Dockerfile linting, SBOM tools.<\/p>\n\n\n\n<p>7) Multi-arch support\n&#8211; Context: Support ARM and x86 in the fleet.\n&#8211; Problem: Building and distributing different images.\n&#8211; Why OCI helps: Manifest lists and standard layout.\n&#8211; What to measure: Architecture mismatch incidents.\n&#8211; Typical tools: buildx, QEMU emulation.<\/p>\n\n\n\n<p>8) Immutable infrastructure\n&#8211; Context: Immutable server images for infra services.\n&#8211; Problem: Drift and configuration sprawl.\n&#8211; Why OCI helps: Artifacts are immutable and versioned.\n&#8211; What to measure: Drift rate and rollback frequency.\n&#8211; Typical tools: Image promotion pipelines.<\/p>\n\n\n\n<p>9) Compliance audits\n&#8211; Context: Audit trail for deployed artifacts.\n&#8211; Problem: Lack of clear provenance.\n&#8211; Why OCI helps: Signed artifacts and SBOMs provide evidence.\n&#8211; What to measure: Audit completeness percentage.\n&#8211; Typical tools: Attestation systems.<\/p>\n\n\n\n<p>10) Blue\/green canary deploys\n&#8211; Context: Safe rollouts for user-facing services.\n&#8211; Problem: Risk of bad image causing outages.\n&#8211; Why OCI helps: Fast rollback to exact digest.\n&#8211; What to measure: Canary failure rate and rollback time.\n&#8211; Typical tools: Kubernetes rollout features.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">Scenario Examples (Realistic, End-to-End)<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">Scenario #1 \u2014 Kubernetes production rollout with OCI images<\/h3>\n\n\n\n<p><strong>Context:<\/strong> Microservices running on k8s clusters across regions.<br\/>\n<strong>Goal:<\/strong> Ensure reliable image distribution and fast rollback.<br\/>\n<strong>Why OCI matters here:<\/strong> Images must be consistent and verifiable across clusters.<br\/>\n<strong>Architecture \/ workflow:<\/strong> CI builds OCI image -&gt; signs with cosign -&gt; pushes to registry -&gt; k8s admission verifies signature -&gt; deployment uses digest.<br\/>\n<strong>Step-by-step implementation:<\/strong> <\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Ensure CI produces reproducible image and SBOM.<\/li>\n<li>Sign image in CI and attach attestation.<\/li>\n<li>Push to private registry with replication.<\/li>\n<li>Configure k8s admission controller to require cosign signatures.<\/li>\n<li>Deploy using image digests and automated canary rollouts.\n<strong>What to measure:<\/strong> Image pull success rate, digest pinned deployment success, SBOM presence.<br\/>\n<strong>Tools to use and why:<\/strong> Buildkit, cosign, Harbor, Kubernetes, Prometheus.<br\/>\n<strong>Common pitfalls:<\/strong> Admission controller misconfigurations block deploys; keys leaked.<br\/>\n<strong>Validation:<\/strong> Run canary with failure injection, verify automatic rollback.<br\/>\n<strong>Outcome:<\/strong> Trusted, auditable deployments with quick rollback.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Scenario #2 \u2014 Serverless function as OCI image<\/h3>\n\n\n\n<p><strong>Context:<\/strong> Enterprise moves functions to containerized serverless platform.<br\/>\n<strong>Goal:<\/strong> Reduce cold start and simplify packaging.<br\/>\n<strong>Why OCI matters here:<\/strong> Serverless platform requires standard OCI images for invocation.<br\/>\n<strong>Architecture \/ workflow:<\/strong> Function code -&gt; builder creates minimal OCI image -&gt; push to registry -&gt; platform pulls and runs.<br\/>\n<strong>Step-by-step implementation:<\/strong> <\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Create small base image and layer function code.<\/li>\n<li>Generate SBOM, sign image.<\/li>\n<li>Push to registry with immutable tags.<\/li>\n<li>Configure platform for provisioned concurrency for critical endpoints.\n<strong>What to measure:<\/strong> Cold start time, invocation success rate, image size.<br\/>\n<strong>Tools to use and why:<\/strong> Buildkit, Trivy, Prometheus, Knative or FaaS provider.<br\/>\n<strong>Common pitfalls:<\/strong> Large base images causing cold starts; missing health checks.<br\/>\n<strong>Validation:<\/strong> Load tests with cold-start patterns and profiling.<br\/>\n<strong>Outcome:<\/strong> Faster serverless response and traceable artifacts.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Scenario #3 \u2014 Incident-response and postmortem for OCI distribution outage<\/h3>\n\n\n\n<p><strong>Context:<\/strong> Registry outage prevents deployments causing a partial outage.<br\/>\n<strong>Goal:<\/strong> Restore deployments and learn root cause.<br\/>\n<strong>Why OCI matters here:<\/strong> Central registry is single point affecting CI\/CD.<br\/>\n<strong>Architecture \/ workflow:<\/strong> Registry with replication and pull-through cache present.<br\/>\n<strong>Step-by-step implementation:<\/strong> <\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Triage to confirm registry is source.<\/li>\n<li>Failover to read-only cached registry or fallback mirror.<\/li>\n<li>Allow emergency deploys using local cached artifacts.<\/li>\n<li>Investigate root cause (storage, GC, or DDoS).\n<strong>What to measure:<\/strong> Time to failover, number of affected deployments.<br\/>\n<strong>Tools to use and why:<\/strong> Harbor, pull-through caches, logs, monitoring.<br\/>\n<strong>Common pitfalls:<\/strong> Lack of cached replicas; old manifests not replicated.<br\/>\n<strong>Validation:<\/strong> Simulate registry downtime in game day.<br\/>\n<strong>Outcome:<\/strong> Faster recovery and improved resilience.<\/li>\n<\/ol>\n\n\n\n<h3 class=\"wp-block-heading\">Scenario #4 \u2014 Cost vs performance trade-off with image size<\/h3>\n\n\n\n<p><strong>Context:<\/strong> High-volume service with high network egress costs using massive images.<br\/>\n<strong>Goal:<\/strong> Reduce cost while maintaining acceptable start latency.<br\/>\n<strong>Why OCI matters here:<\/strong> Image size impacts transfer cost and startup time.<br\/>\n<strong>Architecture \/ workflow:<\/strong> Build optimized images, use sidecar patterns for large assets.<br\/>\n<strong>Step-by-step implementation:<\/strong> <\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Measure current image sizes and transfer volumes.<\/li>\n<li>Rebase on smaller base images and remove unnecessary layers.<\/li>\n<li>Use shared init containers to pull large data once.<\/li>\n<li>Implement CDN or sidecar to serve large static assets.\n<strong>What to measure:<\/strong> Data egress, start latency, cost per deployment.<br\/>\n<strong>Tools to use and why:<\/strong> buildx, registry metrics, cost monitoring.<br\/>\n<strong>Common pitfalls:<\/strong> Over-optimization breaking dependencies.<br\/>\n<strong>Validation:<\/strong> A\/B test reduced images and monitor error budgets.<br\/>\n<strong>Outcome:<\/strong> Reduced cost with controlled latency trade-offs.<\/li>\n<\/ol>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">Common Mistakes, Anti-patterns, and Troubleshooting<\/h2>\n\n\n\n<p>List of 20 mistakes with Symptom -&gt; Root cause -&gt; Fix (include observability pitfalls where required)<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>Symptom: Pods stuck ImagePullBackOff -&gt; Root cause: Bad registry auth -&gt; Fix: Rotate and validate credentials in k8s secrets  <\/li>\n<li>Symptom: Slow container startups -&gt; Root cause: Large images and layered IO -&gt; Fix: Slim base images and layer consolidation  <\/li>\n<li>Symptom: Vulnerabilities in prod -&gt; Root cause: No scanning in CI -&gt; Fix: Add scanner gate and SBOM checks  <\/li>\n<li>Symptom: Non-reproducible builds -&gt; Root cause: Unpinned dependencies -&gt; Fix: Pin deps and cache build environment  <\/li>\n<li>Symptom: Broken manifest pulls -&gt; Root cause: Partial push due to timeout -&gt; Fix: Use resumable uploads and retry logic  <\/li>\n<li>Symptom: Admissions blocking deploys -&gt; Root cause: Misconfigured policy -&gt; Fix: Test admission flows in staging  <\/li>\n<li>Symptom: Signature verification fails -&gt; Root cause: Key rotation mismatch -&gt; Fix: Ensure key roll-over plan and trust root chain  <\/li>\n<li>Symptom: Registry runs out of disk -&gt; Root cause: No GC or retention policy -&gt; Fix: Implement retention and automated garbage collection  <\/li>\n<li>Symptom: High costs from egress -&gt; Root cause: Large frequent pulls -&gt; Fix: Use pull-through caches and smaller images  <\/li>\n<li>Symptom: Observability blind spots -&gt; Root cause: Not exporting registry metrics -&gt; Fix: Instrument and collect registry and runtime metrics  <\/li>\n<li>Symptom: False negatives from scanner -&gt; Root cause: Outdated vulnerability DB -&gt; Fix: Ensure scanner DB update cadence  <\/li>\n<li>Symptom: Architecture mismatch errors -&gt; Root cause: Wrong manifest list -&gt; Fix: Build and verify multi-arch manifests in CI  <\/li>\n<li>Symptom: App crashes due to missing files -&gt; Root cause: Layer ordering created by Dockerfile misuse -&gt; Fix: Reorder Dockerfile and validate image contents  <\/li>\n<li>Symptom: Secret leakage in image -&gt; Root cause: Embedding secrets into layers -&gt; Fix: Use secrets at runtime and multistage builds  <\/li>\n<li>Symptom: Image pull storms overload registry -&gt; Root cause: No caching or CDN -&gt; Fix: Add regional mirrors and caches  <\/li>\n<li>Symptom: GC causing outages -&gt; Root cause: Running GC during peak -&gt; Fix: Schedule GC during low traffic windows and throttle  <\/li>\n<li>Symptom: Audit gaps -&gt; Root cause: Discarded build metadata -&gt; Fix: Persist SBOM and attestation per artifact  <\/li>\n<li>Symptom: On-call confusion over deploy failures -&gt; Root cause: Poor runbooks -&gt; Fix: Create concise runbooks with playbooks and ownership  <\/li>\n<li>Symptom: Noise in alerts -&gt; Root cause: Low signal-to-noise thresholds -&gt; Fix: Adjust thresholds and use grouping and dedupe  <\/li>\n<li>Symptom: Image drift across envs -&gt; Root cause: Using mutable tags like latest -&gt; Fix: Use digest pinning for deployments<\/li>\n<\/ol>\n\n\n\n<p>Observability pitfalls (subset):<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Missing registry metrics -&gt; Add exporters for registry internals.<\/li>\n<li>Counting retries as success -&gt; Define metric semantics for first-attempt pull success.<\/li>\n<li>Metrics without context -&gt; Add labels for service, region, and image digest.<\/li>\n<li>High-cardinality labels -&gt; Avoid using dynamic labels like request id in metrics.<\/li>\n<li>No correlation between logs and metrics -&gt; Ensure trace IDs and consistent timestamps.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">Best Practices &amp; Operating Model<\/h2>\n\n\n\n<p>Ownership and on-call:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Ownership: Teams owning services own images and pipeline for those images.<\/li>\n<li>Registry ops: Central team maintains registry infra and policies.<\/li>\n<li>On-call: SREs monitor registries and release pipelines separately from app on-call.<\/li>\n<\/ul>\n\n\n\n<p>Runbooks vs playbooks:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Runbook: Step-by-step operational instructions for known issues.<\/li>\n<li>Playbook: Tactical plan for complex incidents with decision points and stakeholders.<\/li>\n<\/ul>\n\n\n\n<p>Safe deployments:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Canary deployments with digest pinning.<\/li>\n<li>Automated rollbacks on SLO breaches.<\/li>\n<li>Feature flags to decouple code changes from image rollouts.<\/li>\n<\/ul>\n\n\n\n<p>Toil reduction and automation:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Automate image signing and SBOM generation in CI.<\/li>\n<li>Automate cache warming and pre-pulling for critical services.<\/li>\n<li>Automate retention and garbage collection.<\/li>\n<\/ul>\n\n\n\n<p>Security basics:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Sign all production images.<\/li>\n<li>Enforce SBOM collection and storage.<\/li>\n<li>Use least-privilege runtime configurations (seccomp, AppArmor).<\/li>\n<li>Rotate keys and manage secrets via KMS.<\/li>\n<\/ul>\n\n\n\n<p>Weekly\/monthly routines:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Weekly: Review failed pulls, registry error logs.<\/li>\n<li>Monthly: Audit signed image percentages and SBOM completeness.<\/li>\n<li>Quarterly: Game day for registry outage and key compromise.<\/li>\n<\/ul>\n\n\n\n<p>What to review in postmortems related to OCI:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Artifact provenance and signing checks.<\/li>\n<li>Whether image build or distribution caused incident.<\/li>\n<li>Metrics around pull times and error rates during incident.<\/li>\n<li>Any policy lapses around mutable tags or key rotations.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">Tooling &amp; Integration Map for OCI (TABLE REQUIRED)<\/h2>\n\n\n\n<figure class=\"wp-block-table\"><table>\n<thead>\n<tr>\n<th>ID<\/th>\n<th>Category<\/th>\n<th>What it does<\/th>\n<th>Key integrations<\/th>\n<th>Notes<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>I1<\/td>\n<td>Builder<\/td>\n<td>Produces OCI images<\/td>\n<td>CI systems, buildx<\/td>\n<td>Use cache and reproducible builds<\/td>\n<\/tr>\n<tr>\n<td>I2<\/td>\n<td>Registry<\/td>\n<td>Stores artifacts<\/td>\n<td>Kubernetes, CI, scanners<\/td>\n<td>Ensure RBAC and replication<\/td>\n<\/tr>\n<tr>\n<td>I3<\/td>\n<td>Runtime<\/td>\n<td>Executes containers<\/td>\n<td>containerd, kubelet<\/td>\n<td>Must support OCI runtime-spec<\/td>\n<\/tr>\n<tr>\n<td>I4<\/td>\n<td>Signer<\/td>\n<td>Signs images<\/td>\n<td>CI\/CD, admission controllers<\/td>\n<td>Requires key management<\/td>\n<\/tr>\n<tr>\n<td>I5<\/td>\n<td>Scanner<\/td>\n<td>Finds vulnerabilities<\/td>\n<td>Registries, CI<\/td>\n<td>DB freshness critical<\/td>\n<\/tr>\n<tr>\n<td>I6<\/td>\n<td>SBOM tool<\/td>\n<td>Generates SBOMs<\/td>\n<td>Builders, registries<\/td>\n<td>Standardize SBOM format<\/td>\n<\/tr>\n<tr>\n<td>I7<\/td>\n<td>Attestation<\/td>\n<td>Stores attestations<\/td>\n<td>Trust systems, registries<\/td>\n<td>Link attestations to digests<\/td>\n<\/tr>\n<tr>\n<td>I8<\/td>\n<td>Observability<\/td>\n<td>Collects metrics<\/td>\n<td>Prometheus, Grafana<\/td>\n<td>Export registry and runtime metrics<\/td>\n<\/tr>\n<tr>\n<td>I9<\/td>\n<td>Admission<\/td>\n<td>Enforces policies<\/td>\n<td>Kubernetes, OPA<\/td>\n<td>Validate signatures and SBOMs<\/td>\n<\/tr>\n<tr>\n<td>I10<\/td>\n<td>Cache<\/td>\n<td>Reduces pulls<\/td>\n<td>Edge, registries<\/td>\n<td>Useful for multi-region deployments<\/td>\n<\/tr>\n<\/tbody>\n<\/table><\/figure>\n\n\n\n<h4 class=\"wp-block-heading\">Row Details (only if needed)<\/h4>\n\n\n\n<ul class=\"wp-block-list\">\n<li>None<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">Frequently Asked Questions (FAQs)<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\">What exactly does OCI stand for?<\/h3>\n\n\n\n<p>OCI stands for Open Container Initiative, the set of open specifications for container images and runtimes.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Is OCI the same as Docker?<\/h3>\n\n\n\n<p>No. Docker produced early container tooling and images; OCI is a standard specification that many tools including Docker conform to.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Do I have to sign images?<\/h3>\n\n\n\n<p>Not mandatory but highly recommended for production and compliance to ensure provenance.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Can OCI images be used for serverless?<\/h3>\n\n\n\n<p>Yes. Many serverless platforms accept OCI images for functions and services.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How do I enforce OCI signing in Kubernetes?<\/h3>\n\n\n\n<p>Use an admission controller that verifies signatures before allowing image pull or pod creation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Are all registries OCI compliant?<\/h3>\n\n\n\n<p>Most modern registries support OCI distribution, but implementations and feature sets vary.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What is the difference between manifest and manifest list?<\/h3>\n\n\n\n<p>Manifest describes a single image for one arch, manifest list points to multiple manifests for multi-arch support.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How do I handle multi-arch builds?<\/h3>\n\n\n\n<p>Use multi-arch builders like buildx and produce manifest lists pointing to arch-specific images.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What tools generate SBOMs?<\/h3>\n\n\n\n<p>Build tools and scanners like buildkit and Trivy can generate SBOMs; formats may differ.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How should I measure image pull success?<\/h3>\n\n\n\n<p>Track first-attempt pull success and retries separately, and use success rate SLOs per region.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How often should vulnerability scans run?<\/h3>\n\n\n\n<p>At minimum on build and before promoting to prod; also periodic re-scans are recommended.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What is digest pinning and why use it?<\/h3>\n\n\n\n<p>Digest pinning uses content digest to reference image immutably, preventing unexpected changes from mutable tags.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Will OCI prevent security incidents?<\/h3>\n\n\n\n<p>No. OCI enables mechanisms like signing and SBOMs; security depends on policies and operational practices.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How do I test registry failure recovery?<\/h3>\n\n\n\n<p>Simulate network partition or registry downtime during game days and validate failover to caches.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Can I run OCI images on bare metal without Kubernetes?<\/h3>\n\n\n\n<p>Yes. OCI images can be pulled and run via runtime tools like runc or crun on bare metal.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Is SBOM required by law?<\/h3>\n\n\n\n<p>Varies \/ depends by jurisdiction and regulation.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">What causes manifest validation errors?<\/h3>\n\n\n\n<p>Typically corrupt pushes, aborted uploads, or incompatible tooling versions.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">How can I reduce image sizes effectively?<\/h3>\n\n\n\n<p>Use multistage builds, minimal base images, and remove build artifacts before final image.<\/p>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">Conclusion<\/h2>\n\n\n\n<p>OCI provides a critical foundation for portable, interoperable container images and runtimes. Adopting OCI standards reduces vendor lock-in, improves supply chain traceability, and enables robust SRE practices around deployment reliability and security.<\/p>\n\n\n\n<p>Next 7 days plan:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Day 1: Audit current images and check for signatures and SBOMs.<\/li>\n<li>Day 2: Instrument registry and runtime metrics collection.<\/li>\n<li>Day 3: Add image scanning and fail-build rules for critical severities.<\/li>\n<li>Day 4: Implement digest pinning in a staging deployment.<\/li>\n<li>Day 5: Create runbooks for common registry and pull failures.<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator\" \/>\n\n\n\n<h2 class=\"wp-block-heading\">Appendix \u2014 OCI Keyword Cluster (SEO)<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Primary keywords<\/li>\n<li>OCI Open Container Initiative<\/li>\n<li>OCI image format<\/li>\n<li>OCI runtime-spec<\/li>\n<li>OCI container standard<\/li>\n<li>OCI image signing<\/li>\n<li>OCI manifest<\/li>\n<li>\n<p>OCI registry<\/p>\n<\/li>\n<li>\n<p>Secondary keywords<\/p>\n<\/li>\n<li>container image spec<\/li>\n<li>runtime-spec OCI<\/li>\n<li>OCI distribution<\/li>\n<li>cosign signing<\/li>\n<li>SBOM for containers<\/li>\n<li>container supply chain<\/li>\n<li>image digest pinning<\/li>\n<li>multi-arch OCI<\/li>\n<li>OCI compliance<\/li>\n<li>\n<p>OCI tooling<\/p>\n<\/li>\n<li>\n<p>Long-tail questions<\/p>\n<\/li>\n<li>What is the Open Container Initiative used for<\/li>\n<li>How to sign OCI images in CI<\/li>\n<li>How to enforce OCI image signing in Kubernetes<\/li>\n<li>How to measure OCI image pull times<\/li>\n<li>Best practices for OCI image security<\/li>\n<li>How to generate SBOM for OCI images<\/li>\n<li>How to debug image pull failures in Kubernetes<\/li>\n<li>How does OCI runtime-spec affect container security<\/li>\n<li>How to build multi-arch OCI images<\/li>\n<li>How to reduce OCI image size for serverless<\/li>\n<li>How to implement digest pinning for deployments<\/li>\n<li>How to audit OCI artifact provenance<\/li>\n<li>How to use cosign with registries<\/li>\n<li>\n<p>How to verify image manifests in CI<\/p>\n<\/li>\n<li>\n<p>Related terminology<\/p>\n<\/li>\n<li>containerd<\/li>\n<li>runc<\/li>\n<li>crun<\/li>\n<li>buildkit<\/li>\n<li>kaniko<\/li>\n<li>Trivy<\/li>\n<li>Harbor<\/li>\n<li>Notary<\/li>\n<li>cosign<\/li>\n<li>SBOM<\/li>\n<li>manifest list<\/li>\n<li>digest pinning<\/li>\n<li>multi-arch manifest<\/li>\n<li>admission controller<\/li>\n<li>attestation<\/li>\n<li>reproducible builds<\/li>\n<li>pull-through cache<\/li>\n<li>registries replication<\/li>\n<li>runtime hooks<\/li>\n<li>seccomp<\/li>\n<li>AppArmor<\/li>\n<li>cgroups<\/li>\n<li>namespaces<\/li>\n<li>garbage collection<\/li>\n<li>retention policy<\/li>\n<li>provenance<\/li>\n<li>vulnerability scanning<\/li>\n<li>supply chain security<\/li>\n<li>artifact signing<\/li>\n<li>image promotion<\/li>\n<li>immutable deployment<\/li>\n<li>canary rollout<\/li>\n<li>rollback strategy<\/li>\n<li>cold start optimization<\/li>\n<li>container orchestration<\/li>\n<li>serverless container runtime<\/li>\n<li>CI\/CD pipeline integration<\/li>\n<li>artifact storage<\/li>\n<li>key rotation<\/li>\n<li>KMS integration<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>&#8212;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[149],"tags":[],"class_list":["post-1960","post","type-post","status-publish","format-standard","hentry","category-terminology"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>What is OCI? Meaning, Architecture, Examples, Use Cases, and How to Measure It (2026 Guide) - SRE School<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/sreschool.com\/blog\/oci\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What is OCI? Meaning, Architecture, Examples, Use Cases, and How to Measure It (2026 Guide) - SRE School\" \/>\n<meta property=\"og:description\" content=\"---\" \/>\n<meta property=\"og:url\" content=\"https:\/\/sreschool.com\/blog\/oci\/\" \/>\n<meta property=\"og:site_name\" content=\"SRE School\" \/>\n<meta property=\"article:published_time\" content=\"2026-02-15T11:16:33+00:00\" \/>\n<meta name=\"author\" content=\"Rajesh Kumar\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Rajesh Kumar\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"26 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/sreschool.com\/blog\/oci\/\",\"url\":\"https:\/\/sreschool.com\/blog\/oci\/\",\"name\":\"What is OCI? Meaning, Architecture, Examples, Use Cases, and How to Measure It (2026 Guide) - SRE School\",\"isPartOf\":{\"@id\":\"https:\/\/sreschool.com\/blog\/#website\"},\"datePublished\":\"2026-02-15T11:16:33+00:00\",\"author\":{\"@id\":\"https:\/\/sreschool.com\/blog\/#\/schema\/person\/0ffe446f77bb2589992dbe3a7f417201\"},\"breadcrumb\":{\"@id\":\"https:\/\/sreschool.com\/blog\/oci\/#breadcrumb\"},\"inLanguage\":\"en\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/sreschool.com\/blog\/oci\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/sreschool.com\/blog\/oci\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/sreschool.com\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What is OCI? Meaning, Architecture, Examples, Use Cases, and How to Measure It (2026 Guide)\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/sreschool.com\/blog\/#website\",\"url\":\"https:\/\/sreschool.com\/blog\/\",\"name\":\"SRESchool\",\"description\":\"Master SRE. Build Resilient Systems. Lead the Future of Reliability\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/sreschool.com\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/sreschool.com\/blog\/#\/schema\/person\/0ffe446f77bb2589992dbe3a7f417201\",\"name\":\"Rajesh Kumar\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en\",\"@id\":\"https:\/\/sreschool.com\/blog\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/f901a4f2929fa034a291a8363d589791d5a3c1f6a051c22e744acb8bfc8e022a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/f901a4f2929fa034a291a8363d589791d5a3c1f6a051c22e744acb8bfc8e022a?s=96&d=mm&r=g\",\"caption\":\"Rajesh Kumar\"},\"sameAs\":[\"http:\/\/sreschool.com\/blog\"],\"url\":\"https:\/\/sreschool.com\/blog\/author\/admin\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What is OCI? Meaning, Architecture, Examples, Use Cases, and How to Measure It (2026 Guide) - SRE School","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/sreschool.com\/blog\/oci\/","og_locale":"en_US","og_type":"article","og_title":"What is OCI? Meaning, Architecture, Examples, Use Cases, and How to Measure It (2026 Guide) - SRE School","og_description":"---","og_url":"https:\/\/sreschool.com\/blog\/oci\/","og_site_name":"SRE School","article_published_time":"2026-02-15T11:16:33+00:00","author":"Rajesh Kumar","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Rajesh Kumar","Est. reading time":"26 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/sreschool.com\/blog\/oci\/","url":"https:\/\/sreschool.com\/blog\/oci\/","name":"What is OCI? Meaning, Architecture, Examples, Use Cases, and How to Measure It (2026 Guide) - SRE School","isPartOf":{"@id":"https:\/\/sreschool.com\/blog\/#website"},"datePublished":"2026-02-15T11:16:33+00:00","author":{"@id":"https:\/\/sreschool.com\/blog\/#\/schema\/person\/0ffe446f77bb2589992dbe3a7f417201"},"breadcrumb":{"@id":"https:\/\/sreschool.com\/blog\/oci\/#breadcrumb"},"inLanguage":"en","potentialAction":[{"@type":"ReadAction","target":["https:\/\/sreschool.com\/blog\/oci\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/sreschool.com\/blog\/oci\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/sreschool.com\/blog\/"},{"@type":"ListItem","position":2,"name":"What is OCI? Meaning, Architecture, Examples, Use Cases, and How to Measure It (2026 Guide)"}]},{"@type":"WebSite","@id":"https:\/\/sreschool.com\/blog\/#website","url":"https:\/\/sreschool.com\/blog\/","name":"SRESchool","description":"Master SRE. Build Resilient Systems. Lead the Future of Reliability","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/sreschool.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en"},{"@type":"Person","@id":"https:\/\/sreschool.com\/blog\/#\/schema\/person\/0ffe446f77bb2589992dbe3a7f417201","name":"Rajesh Kumar","image":{"@type":"ImageObject","inLanguage":"en","@id":"https:\/\/sreschool.com\/blog\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/f901a4f2929fa034a291a8363d589791d5a3c1f6a051c22e744acb8bfc8e022a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f901a4f2929fa034a291a8363d589791d5a3c1f6a051c22e744acb8bfc8e022a?s=96&d=mm&r=g","caption":"Rajesh Kumar"},"sameAs":["http:\/\/sreschool.com\/blog"],"url":"https:\/\/sreschool.com\/blog\/author\/admin\/"}]}},"_links":{"self":[{"href":"https:\/\/sreschool.com\/blog\/wp-json\/wp\/v2\/posts\/1960","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sreschool.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sreschool.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sreschool.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/sreschool.com\/blog\/wp-json\/wp\/v2\/comments?post=1960"}],"version-history":[{"count":0,"href":"https:\/\/sreschool.com\/blog\/wp-json\/wp\/v2\/posts\/1960\/revisions"}],"wp:attachment":[{"href":"https:\/\/sreschool.com\/blog\/wp-json\/wp\/v2\/media?parent=1960"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sreschool.com\/blog\/wp-json\/wp\/v2\/categories?post=1960"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sreschool.com\/blog\/wp-json\/wp\/v2\/tags?post=1960"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}