This is a small tool to delete tags, or, to be more correct, delete image manifests, from a Docker Registry implementing the API v2.
Please be aware of that this is a soft delete. You've to run the registry garbage collection after this tool has been applied.
For Docker Registry v2 API specification see https://docs.docker.com/registry/spec/api/.
Information about the needed garbage collection is described at https://docs.docker.com/registry/garbage-collection/.
- v0.5 - fix for issue #8 which resulted in deleting more layers then intended; performance improvements; added
- v0.4.1 - added
- v0.4 - added support for basic auth secured registry servers, introducing
--basicauth-pw(thanks to @kekru for his pull request)
- v0.3 - fixing deletion if a digest is associated with multiple tags, introducing the
- v0.2 - added support for registry server using self signed certificates
- v0.1 - first version with basics
Prerequisites and supported Plattform
This tool was implemented and tested on Ubuntu Linux 14.04, 16.04 and on MacOS 10.12 using Python 2.7. It is developed against Docker Registry version 2.5.1, but tested against 2.6.1 and latest (see https://hub.docker.com/r/library/registry/).
You need to install the Python module requests:
$ pip install requests
Be sure to configure your registry server to allow deletion (see https://docs.docker.com/registry/configuration/#/delete).
Download the file cleanreg.py or clone this repository to a local directory.
usage: cleanreg.py [-h] [-v] -r REGISTRY [-p] [-y] [-q] [-n REPONAME] [-k KEEPIMAGES] [-f REPOSFILE] [-c CACERT] [-i] [-u BASICAUTHUSER] [-pw BASICAUTHPW] [-w MD_WORKERS] Removes images on a docker registry (v2). optional arguments: -h, --help show this help message and exit -v, --verbose The verbosity level. Increase verbosity by multiple usage, e.g. -vvv . -r REGISTRY, --registry REGISTRY The registry server to connect to, e.g. http://188.8.131.52:5000 -p, --proxy Use system level proxy settings accessing registry server if set. By default, the registry server will be accessed without a proxy. -y, --yes, --assume-yes If set no user action will appear and all questions will be answered with YES -q, --quiet [deprecated] If set no user action will appear and all questions will be answered with YES -n REPONAME, --reponame REPONAME The name of the repo which should be cleaned up -cf, --clean-full-catalog If set all repos of the registry will be cleaned up, keeping the amount of images specified in -k option. The amount for each repo can be overridden in the repofile (-f). -k KEEPIMAGES, --keepimages KEEPIMAGES Amount of images (not tags!) which should be kept for the given repo (if -n is set) or for each repo of the registry (if -cf is set). -f REPOSFILE, --reposfile REPOSFILE A file containing the list of Repositories and how many images should be kept. -c CACERT, --cacert CACERT Path to a valid CA certificate file. This is needed if self signed TLS is used in the registry server. -i, --ignore-ref-tags Ignore a digest if it is referenced multiple times in the whole registry server. In this case, a list of all repositories and their images will be retrieved which can be time and memory consuming. ATTENTION: the default is False so an image will be deleted even it is referenced multiple times. -u BASICAUTHUSER, --basicauth-user BASICAUTHUSER The username, if the registry is protected with basic auth -pw BASICAUTHPW, --basicauth-pw BASICAUTHPW The password, if the registry is protected with basic auth -w MD_WORKERS, --metadata-workers MD_WORKERS Parallel workers to retrieve image metadata. Default value is 6.
In addition, you can obtain the public docker image to run it in a container:
docker run --rm hcguersoy/cleanreg:v0.5.0
The image is hosted here: https://hub.docker.com/r/hcguersoy/cleanreg/
latest tag is not provided anymore!
Attention: It is strongly recommended that you use the -i flag even it is more time and memory consuming. If not you can delete images / layers which you not wanted to delete because registry itself doesn't check if a digest is referenced by multiple tags!
Cleaning up a single repository called mysql on registry server 192.168.56.2:5000 and keeping 5 of the latest images:
./cleanreg.py -r http://192.168.56.2:5000 -n mysql -k 5
Be aware that you don't keep here the five last tags but digests/images. As a digest can be associated with multiple tags this can result in deletion of images which you not intended in!
Again: to be secure use the
./cleanreg.py -r http://192.168.56.2:5000 -n mysql -k 5 -i
Same as above but ignore images which are associated with multiple tags.
./cleanreg.py -r http://192.168.56.2:5000 -n myalpine -k 50 -i -w 12
If you have a very large registry and enough bandwidth you can increase the parallel workers to retrieve the image metadata. The default is 6. Be aware that you can generate a DoS on your registry server by increasing to much.
Cleaning up all repositories of the registry:
./cleanreg.py -r http://192.168.56.2:5000 -cf -k 5 -i
This will clean up all repositories, keeping 5 images per repository.
Cleaning up multiple repositories defined in a configuration file:
./cleanreg.py -r http://192.168.56.2:5000 -f cleanreg-example.conf -i
The configuration file has the format
<repository name> <images to keep>. An example file can be found in the repository.
The configuration file can be used together with the clean-full-catalog option:
./cleanreg.py -r http://192.168.56.2:5000 -cf -k 5 -f cleanreg-example.conf -i
This will clean the repositories with images to keep as defined in the configuration file and it will additionally clean all other repositories of the registry, keeping 5 images per repository.
If you've to use a repositories definition file (parameter
-f) while using the image distribution you should mount that file into your container:
docker run --rm -it -v $(pwd)/cleanreg-example.conf:/cleanreg-example.conf hcguersoy/cleanreg:<version> -r http://192.168.56.2:5000 -f cleanreg-example.conf -i
There is a simple script added to create multiple image tags (based on
busybox) on your registry server.
If you have installed a semi secure registry server using TLS and self signed certificates you have to provide the path to the CA certificate file:
./cleanreg.py -r https://192.168.56.3:5000 -c /my/certifacates/ca.pem -f cleanreg-example.conf -i
If you run cleanreg in a container you should not forget to mount the certificate file into the container like the configuration file above.
If your registry is protected with basic auth and the username is
test and the password is
secret, you have to pass these credentials to cleanreg.
./cleanreg.py -r https://192.168.56.3:5000 -u test -pw secret -f cleanreg-example.conf
Runing Garbage Collection
Example on running the garbage collection:
$ docker run --rm \ -v /docker/registry2:/var/lib/registry:rw \ registry:latest bin/registry \ garbage-collect /etc/docker/registry/config.yml
This maps the local directory /docker/registry2 into the container, and calls the garbage collection.
The pointed config file is the default configuration.
The registry itself should be stopped before running this.
Feel free to contribute your changes as a PR. Please ensure that the tests run without errors and provide tests for additional functionality.
- Locally installed Docker engine (remote execution is not yet implemented; runs with Docker for MacOS fine)
You can run all tests, with the runAllTests.sh script:
cd test ./runAllTests.sh
This will run all tests and repeat them for different versions of the Docker Registry.
To run a single test, change to the
test/tests directory and run a test script:
cd test/tests ./simple_clean.sh
By default the test will start the Docker Registry from Docker Hub with the tag
latest. To specify another registry version, write its Docker Hub tag to the environment variable
cd test/tests export REGISTRYTAG=2.5.1 ./simple_clean.sh