GitLab container registry: Any way to automate deletion of old containers?

Question

We have a GitLab CI pipeline which builds a new Docker image based on an external ETCD snapshot of a Hashicorp Vault secrets back-end. The image is for disaster recovery so we don't have any interest in keeping old versions in the registry.

Is there any way of purging GitLab registry container images which are older than a certain date. Or to keep a maximum number of recent images and delete the rest?

Thanks

S

Answer 1

GitLab 12.8 (Feb. 2020) introduced "Tag expiration policy".

And GitLab 13.0 (May 2020) enhances that feature with:

Define policies to ensure important images are never deleted

When using GitLab’s Image Expiration Policy, there is no way to express something such as “no matter what, don’t delete this tag”.
This introduces risk into the deletion process, as it’s possible to delete release or master images, which should be immutable.

In 13.0 we are excited to announce that you can now update your project’s expiration policy to identify images you never want deleted.
Simply enable the policy and use regex to identify the image you want to preserve.

See documentation and issue.

---

And with GitLab 13.5 (October 2020):

Major improvements to the Container Registry cleanup policy

When using the cleanup policy for tags to remove unwanted tags from your Container Registry, you may have noticed that the tags aren’t always removed like you’d expect them to be.
As a result, it’s likely that you had to manually intervene by using the GitLab API to delete registry tags in bulk, or you ignored the problem and subsequently experienced higher storage costs.

There are two potential issues that may have caused problems. The first issue is related to gitlab-#219915. This issue resolved a bug where some policies created in the user interface were failing, because the user wasn’t passed to the DeleteTagService.

In addition, you may have encountered an issue in which the policy ran, but only partially completed. This occurs when a policy attempts to delete many images and instead times out. If that happens, it will continue removing the tags in the policy’s next scheduled run. Moving forward, you will see a warning to signal that there are partially-run policies remaining. That way you can decide if you want to manually intervene or not.

We have several other improvements planned for this feature, including support for all historical projects and a preview of tags that will be removed.

See Documentation and Issue.

Answer 2

run this command:

sudo gitlab-ctl registry-garbage-collect -m

Answer 3

If you only need one image, a straightforward way would be to just always push to e.g. registry.example.com/group/project/image:latest. This will overwrite the existing one.

It is more difficult if you want to tag your images with the commit hash or similar. Unfortunately, there is no way (yet) to automatically clean up old images, but it is a much wanted feature, see open issues:

• https://gitlab.com/gitlab-org/gitlab-ce/issues/20247
• https://gitlab.com/gitlab-org/gitlab-ce/issues/29639

For now, people have made workarounds. E.g.

• A docker image to be used in a manual GitLab CI job for removing old images: https://github.com/thecodingmachine/gitlab-registry-cleaner https://github.com/sciapp/gitlab-registry-cleanup
• A Python package for finding and (soft) deleting untagged Docker images in a GitLab Docker registry: https://github.com/sciapp/gitlab-registry-cleanup (Updated 2019-08, See below)

Both are interesting projects and could help you right now. If you can wait, I would expect that GitLab will implement actual registry cleanup features in the upcoming months.

---

Updated 2019-08

Since GitLab version 11.10 the gitlab-ctl registry-garbage-collect command has a --delete-manifests flag which enables the deletion of all untagged Docker images. This project is not needed any more. https://github.com/sciapp/gitlab-registry-cleanup#deprecation-notice