Reputation: 3296
I run a private docker registry, and I want to delete all images but the latest
from a repository. I don't want to delete the entire repository, just some of the images inside it. The API docs don't mention a way to do this, but surely it's possible?
Upvotes: 291
Views: 517274
Reputation: 2693
I've faced the same problem with my registry, then I tried the solution listed below from a blog page. It works.
Do note, the deletion must be enabled for it to work. You can do it by providing a custom config, or by setting REGISTRY_STORAGE_DELETE_ENABLED=true
$ curl -sS <domain-on-ip>:5000/v2/_catalog
The response will be in the following format:
"repositories": [
$ curl -sS <domain-on-ip>:5000/v2/<repo>/tags/list
The response will be in the following format:
"name": <repo>,
"tags": [
$ curl -sS -H 'Accept: application/vnd.docker.distribution.manifest.v2+json' \
-o /dev/null \
-w '%header{Docker-Content-Digest}' \
Do note, the Accept
header is needed here. Without it you'll get a different value and the deletion will fail.
Note the -w
option is only supported in CURL v7.83.0 and above. In older versions of CURL you will need to use another tool such as sed, grep or awk to extract the header content from the output.
The response will be in the following format:
$ curl -sS -X DELETE <domain-or-ip>:5000/v2/<repo>/manifests/<digest>
Note that you need to include the
Run this command in your docker registry container:
$ registry garbage-collect -m /etc/docker/registry/config.yml
Here is my config.yml:
version: 0.1
service: registry
blobdescriptor: inmemory
rootdirectory: /var/lib/registry
enabled: true
addr: :5000
X-Content-Type-Options: [nosniff]
enabled: true
interval: 10s
threshold: 3
Upvotes: 151
Reputation: 265130
The requirement to delete all tags except latest
gets complicated because the same image manifest can be pointed to by multiple tags, so when you delete a manifest for one tag, you may effectively delete multiple tags.
There are a few options to make that workable. One is to track the digest for the latest tag and only delete manifests for other digests, or you can use some different API calls to delete the tags themselves.
Regardless of how you implement this, first your registry needs to be configured to allow the delete API's. With the minimal registry:2
image, that involves starting it with an environment variable REGISTRY_STORAGE_DELETE_ENABLED=true
(or the equivalent yaml config).
Then for a simple script to loop through the tags and delete, there's:
for tag in $(regctl tag ls $repo); do
if [ "$tag" != "latest" ]; then
echo "Deleting: $(regctl image digest --list "${repo}:${tag}") [$tag]"
regctl tag rm "${repo}:${tag}"
The regctl
command used here comes from regclient and the regctl tag rm
logic first attempts to perform the tag delete API added recently to the distribution-spec. Since most registries haven't implemented that spec, it falls back to the manifest delete API, but it first creates a dummy manifest to overwrite the tag, and then deletes that new digest. In doing so, if the old manifest was in use by other tags, it doesn't delete those other tags.
An alternative version of the script that deletes manifests except those pointing to the latest
digest looks like:
save="$(regctl image digest --list "${repo}:latest")"
for tag in $(regctl tag ls $repo); do
digest="$(regctl image digest --list "${repo}:${tag}")"
if [ "$digest" != "$save" ]; then
echo "Deleting: $digest [$tag]"
regctl manifest rm "${repo}@${digest}"
If you find yourself needing to create a deletion policy to automate the deleting of lots of images, I'd recommend looking at regclient/regbot
from the same repo which allows you to define that policy and leave it running to continuously prune your registry.
Once the images have been deleted, you'll need to garbage collect your registry in most use cases. For example with the registry:2
image that looks like:
docker exec registry /bin/registry garbage-collect \
/etc/docker/registry/config.yml --delete-untagged
Caution: there is an open issue with the garbage-collect utility that will delete untagged child manifests of a multi-platform image. If you are using multi-platform images, you'll need to ensure every platform specific image is tagged or avoid using the above GC command until the issue has been resolved in your deployed version.
Upvotes: 8
Reputation: 8704
This is the simplest solution that worked for my setup, using a private registry in a swarm cluster
Experimenting with whatever filter you need
docker images | grep 'your_own_filter'
tail -n +4
: keep the last 3 images that got built
awk '{print $3}'
: will extract the 3rd column, which is the 'IMAGE ID'
docker rmi $(docker images | grep 'your_own_filter' | tail -n +4 | awk '{print $3}')
Upvotes: -1
Reputation: 18983
A script to remove all but the latest
tag from an insecure registry (private, no auth):
#!/bin/sh -eu
tags=`curl -sS "$registry/v2/$repo/tags/list" | jq -r .tags[]`
tag2digest() {
local tag=$1
curl -sS -H 'Accept: application/vnd.docker.distribution.manifest.v2+json' \
-o /dev/null \
-w '%header{Docker-Content-Digest}' \
latest_digest=`tag2digest latest`
digests=`echo "$tags" \
| while IFS= read -r tag; do
tag2digest "$tag"
done \
| sort \
| uniq`
digests=`echo "$digests" \
| grep -Fvx "$latest_digest"`
echo "$digests" \
| while IFS= read -r digest; do
curl -sS -X DELETE "$registry/v2/$repo/manifests/$digest"
$ ./ <image> [<registry>]
After removing tags (or manifests to be more precise) run garbage collection:
$ registry garbage-collect /etc/docker/registry/config.yml
To support Docker Hub and/or auth see these answers.
Upvotes: 0
Reputation: 711
This is really ugly but it works, text is tested on registry:2.5.1. I did not manage to get delete working smoothly even after updating configuration to enable delete. The ID was really difficult to retrieve, had to login to get it, maybe some misunderstanding. Anyway, the following works:
Enter the container
docker exec -it registry sh
Define variables matching your container and container version:
export NAME="google/cadvisor"
export VERSION="v0.24.1"
Move to the the registry directory:
cd /var/lib/registry/docker/registry/v2
Delete files related to your hash:
find . | grep `ls ./repositories/$NAME/_manifests/tags/$VERSION/index/sha256`| xargs rm -rf $1
Delete manifests:
rm -rf ./repositories/$NAME/_manifests/tags/$VERSION
Run the GC:
docker exec -it registry bin/registry garbage-collect /etc/docker/registry/config.yml
If all was done properly some information about deleted blobs is shown.
Upvotes: 24
Reputation: 1475
The current v2
registry now supports deleting via DELETE /v2/<name>/manifests/<reference>
The <reference>
can be taken from the Docker-Content-Digest
header of a GET /v2/<name>/manifests/<tag>
request (do note that the Accept: application/vnd.docker.distribution.manifest.v2+json
header is needed for this request).
A script that makes use of it:
For it to work deletion must be enabled (REGISTRY_STORAGE_DELETE_ENABLED=true
And to really free the disk space you need to run garbage collection.
Upvotes: 92
Reputation: 11388
There are some clients (in Python, Ruby, etc) which do exactly that. For my taste, it isn't sustainable to install a runtime (e.g. Python) on my registry server, just to housekeep my registry!
So deckschrubber
is my solution:
go install
images older than a given age are automatically deleted. Age can be specified using -year
, -month
, -day
, or a combination of them:
$GOPATH/bin/deckschrubber -month 2 -day 13 -registry http://registry:5000
UPDATE: here's a short introduction on deckschrubber.
Upvotes: 16
Reputation: 6462
I am usually all for doing things with scripts, but if you are already running a registry UI container built from Joxit/docker-registry-ui, I found it easier to just opt-click the delete button in the UI and delete a page of images at a time, then garbage collect after.
Upvotes: 4
Reputation: 60163
Problem 1
You mentioned it was your private docker registry, so you probably need to check Registry API instead of Hub registry API doc, which is the link you provided.
Problem 2
docker registry API is a client/server protocol, it is up to the server's implementation on whether to remove the images in the back-end. (I guess)
DELETE /v1/repositories/(namespace)/(repository)/tags/(tag*)
Detailed explanation
Below I demo how it works now from your description as my understanding for your questions.
I run a private docker registry.
I use the default one, and listen on port 5000
docker run -d -p 5000:5000 registry
Then I tag the local image and push into it.
$ docker tag ubuntu localhost:5000/ubuntu
$ docker push localhost:5000/ubuntu
The push refers to a repository [localhost:5000/ubuntu] (len: 1)
Sending image list
Pushing repository localhost:5000/ubuntu (1 tags)
511136ea3c5a: Image successfully pushed
d7ac5e4f1812: Image successfully pushed
2f4b4d6a4a06: Image successfully pushed
83ff768040a0: Image successfully pushed
6c37f792ddac: Image successfully pushed
e54ca5efa2e9: Image successfully pushed
Pushing tag for rev [e54ca5efa2e9] on {http://localhost:5000/v1/repositories/ubuntu/tags/latest}
After that I can use Registry API to check it exists in your private docker registry
$ curl -X GET localhost:5000/v1/repositories/ubuntu/tags
{"latest": "e54ca5efa2e962582a223ca9810f7f1b62ea9b5c3975d14a5da79d3bf6020f37"}
Now I can delete the tag using that API !!
$ curl -X DELETE localhost:5000/v1/repositories/ubuntu/tags/latest
Check again, the tag doesn't exist in my private registry server
$ curl -X GET localhost:5000/v1/repositories/ubuntu/tags/latest
{"error": "Tag not found"}
Upvotes: 21
Reputation: 43
There is also a way you can remove some old images from repository just based on the date when it was created.
To do that enter your docker registry container and get the list of manifest's revisions for some specific repository:
ls -latr /var/lib/registry/docker/registry/v2/repositories/YOUR_REPO/_manifests/revisions/sha256/
The output then may be used within the request (with sha256 prefix):
curl -v --silent -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X DELETE http://DOCKER_REGISTRY_HOST:5000/v2/YOUR_REPO/manifests/sha256:OUTPUT_LINE
And of course do not forget to execute 'garbage-collect' command after that:
bin/registry garbage-collect /etc/docker/registry/config.yml
Upvotes: 2
Reputation: 2033
Another tool you can use is registry-cli. For example, this command: -l "login:password" -r --delete
will delete all but the last 10 images.
Upvotes: 3
Reputation: 321
Here is a script based on Yavuz Sert's answer. It deletes all tags that are not the latest version, and their tag is greater than 950.
#!/usr/bin/env bash
if [[ "${Tag}" == "latest" ]]; then
if [[ "${Tag}" -ge "950" ]]; then
if [[ "${Skip}" == "1" ]]; then
echo "skip ${Name} ${Tag}"
echo "delete ${Name} ${Tag}"
Sha=$(curl -v -s -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X GET${Name}/manifests/${Tag} 2>&1 | grep Docker-Content-Digest | awk '{print ($3)}')
curl -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X DELETE "${Name}/manifests/${Sha}"
echo "Repository ${Name}"
curl -s${Name}/tags/list | jq '.tags[]' |
while IFS=$"\n" read -r line; do
CheckTag $Name $line
JqPath=$(which jq)
if [[ "x${JqPath}" == "x" ]]; then
echo "Couldn't find jq executable."
exit 2
curl -s | jq '.repositories[]' |
while IFS=$"\n" read -r line; do
ScanRepository $line
Upvotes: 1
Reputation: 6531
1) You must typed following command for RepoDigests of a docker repo;
## docker inspect <registry-host>:<registry-port>/<image-name>:<tag>
> docker inspect
"Id": "sha256:16c5af74ed970b1671fe095e063e255e0160900a0e12e1f8a93d75afe2fb860c",
"RepoTags": [
"RepoDigests": [
${digest} = sha256:5580b2110c65a1f2567eeacae18a3aec0a31d88d2504aa257a2fecf4f47695e6
2) Use registry REST API
##curl -u username:password -vk -X DELETE registry-host>:<registry-port>/v2/<image-name>/manifests/${digest}
>curl -u example-user:example-password -vk -X DELETE
You should get a 202 Accepted for a successful invocation.
3-) Run Garbage Collector
docker exec registry bin/registry garbage-collect --dry-run /etc/docker/registry/config.yml
registry — registry container name.
For more detail explanation enter link description here
Upvotes: 2
Reputation: 389
Simple ruby script based on this answer: registry_cleaner.
You can run it on local machine:
./registry_cleaner.rb --host= --repository=name --tags_count=4
And then on the registry machine remove blobs with /bin/registry garbage-collect /etc/docker/registry/config.yml
Upvotes: 1
Reputation: 693
Below Bash Script Deletes all the tags located in registry except the latest.
for D in /registry-data/docker/registry/v2/repositories/*; do
if [ -d "${D}" ]; then
if [ -z "$(ls -A ${D}/_manifests/tags/)" ]; then
echo ''
for R in $(ls -t ${D}/_manifests/tags/ | tail -n +2); do
digest=$(curl -k -I -s -H -X GET http://xx.xx.xx.xx:5000/v2/$(basename ${D})/manifests/${R} -H 'accept: application/vnd.docker.distribution.manifest.v2+json' | grep Docker-Content-Digest | awk '{print $2}' )
url="http://xx.xx.xx.xx:5000/v2/$(basename ${D})/manifests/$digest"
curl -X DELETE -k -I -s $url -H 'accept: application/vnd.docker.distribution.manifest.v2+json'
After this Run
docker exec $(docker ps | grep registry | awk '{print $1}') /bin/registry garbage-collect /etc/docker/registry/config.yml
Upvotes: 1
Reputation: 11
This docker image includes a bash script that can be used to remove images from a remote v2 registry :
Upvotes: 1
Reputation: 4489
Currently you cannot use the Registry API for that task. It only allows you to delete a repository or a specific tag.
In general, deleting a repository means, that all the tags associated to this repo are deleted.
Deleting a tag means, that the association between an image and a tag is deleted.
None of the above will delete a single image. They are left on your disk.
For this workaround you need to have your docker images stored locally.
A workaround for your solution would be to delete all but the latest tags and thereby potentially removing the reference to the associated images. Then you can run this script to remove all images, that are not referenced by any tag or the ancestry of any used image.
Consider an image graph like this where the capital letters (A
, B
, ...) represent short image IDs and <-
means that an image is based on another image:
A <- B <- C <- D
Now we add tags to the picture:
A <- B <- C <- D
| |
| <version2>
Here, the tag <version1>
references the image C
and the tag <version2>
references the image D
In your question you said that you wanted to remove
all images but the
. Now, this terminology is not quite correct. You've mixed images and tags. Looking at the graph I think you would agree that the tag <version2>
represents the latest version. In fact, according to this question you can have a tag that represents the latest version:
A <- B <- C <- D
| |
| <version2>
| <latest>
Since the <latest>
tag references image D
I ask you: do you really want to delete all but image D
? Probably not!
If you delete the tag <version1>
using the Docker REST API you will get this:
A <- B <- C <- D
Remember: Docker will never delete an image! Even if it did, in this case it cannot delete an image, since the image C
is part of the ancestry for the image D
which is tagged.
Even if you use this script, no image will be deleted.
Under the condition that you can control when somebody can pull or push to your registry (e.g. by disabling the REST interface). You can delete an image from an image graph if no other image is based on it and no tag refers to it.
Notice that in the following graph, the image D
is not based on C
but on B
. Therefore, D
doesn't depend on C
. If you delete tag <version1>
in this graph, the image C
will not be used by any image and this script can remove it.
A <- B <--------- D
\ |
\ <version2>
\ <latest>
\ <- C
After the cleanup your image graph looks like this:
A <- B <- D
Is this what you want?
Upvotes: 146