How to list images and tags in the docker registory? How to delete image(layers) in docker registory? These are general demands in my daily work, let’s figure them out.
A brife digression: The OpenShift
platform has web UI to deal with images in integrated docker registry (it is called imagestream
in OpenShift), usually after you login to terminal, run oc version
will show you the web address. You can list and delete imagestream there.
For example, I use OpenShift
integrated docker registry and push my docker images to a project called datastage
(I configuring the setting so other project can pull images from this project):
Resurces
Docker Registry HTTP API V2 Registry 清理镜像 v2 Docker registry authentication Registry tool Git project Cleanup Your Docker Registry
Quick Set up
After installing docker, get and run docker registry from Docker Offical Images - registry.
1 | docker pull registry |
you will get:
1 | docker images |
then run it locally with image deletion enabled:
1 | docker run -d -p 5000:5000 -e REGISTRY_STORAGE_DELETE_ENABLED=true --restart always --name registry registry |
To remove images, you need to setup docker registry with delete enabled(by default it’s off), see my blog Docker Registry Configure
1 | docker ps |
Next, let’s use busybox to illustrate:
1 | docker pull busybox |
Insecure Docker Registry
Quick set up will give you a insecure private docker registry (means no docker login
and use http
to access API).
Note that you can use
-v
option incurl
command to get verbose message such as HEADER information.
Check Availability
1 | curl -k --head -X GET http://localhost:5000/v2/ |
This means registry is accessable and user has permission.
List Images
1 | curl -k -X GET http://localhost:5000/v2/_catalog |
List Image Tags
1 | curl -k -X GET http://localhost:5000/v2/busybox/tags/list |
Delete Images
Deletion of unused digests of docker images to avoid unnecessary space growth in a private docker registry
Deletion is more complicated than list, from Deleting an Image API, there are 2 main steps:
Delete through API
- Get the
digest
of the image with tagv1
1 | curl -k --head -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X GET http://localhost:5000/v2/busybox/manifests/v1 |
Note when deleting a manifest from a registry version 2.3 or later, the following header must be used when HEAD or GET-ing the manifest to obtain the correct digest to delete:
Accept: application/vnd.docker.distribution.manifest.v2+json
.You can refer this Image Manifest V 2, Schema 2 to get more header details.
Here, we use the digest from Docker-Content-Digest
field in the header, the vaule is sha256:bf510723d2cd2d4e3f5ce7e93bf1e52c8fd76831995ac3bd3f90ecc866643aff
.
Actually, if the docker image is loaded, you can inspect it by:
1 | docker inspect localhost:5000/busybox:v1 | less |
There is a RepoDigests
field that also contains the same digest:
1 | ... |
- Issue delete command
1 | curl -k -v -X DELETE http://localhost:5000/v2/busybox/manifests/sha256:bf510723d2cd2d4e3f5ce7e93bf1e52c8fd76831995ac3bd3f90ecc866643aff |
The response HTTP/1.1 202 Accepted
means the deletion succeeds, let’s check the tag again:
1 | curl -k -X GET http://localhost:5000/v2/busybox/tags/list |
Note that if the docker registry deletion is not enabled, you will get response
{"errors":[{"code":"UNSUPPORTED","message":"The operation is unsupported."}]}
.
Delete in File System
Note this way doesn’t required docker registry is deletion enabled!
Actually, docker registry stores image in /var/lib/registry/docker/registry/v2/
, there are blobs
and repositories
directories. blobs
directory is where images reside and repositories
is where metadata and reference locate.
You need to delete two dirs if you mount docker registry storage in host:
1 | rm -rf <mount path>/registry/v2/repositories/busybox/_manifests/tags/v1/index/sha256/<hash dir> |
At the time of deleting those dirs; the docker registry should be in read only mode. Nobody should push to registry.
Garbage Collection
However, the API and file system deletions above only remove the metadata or dereference the connection between manifest with layers data in disk, we need to run garbage collection in docker registry to remove layers:
1 | docker exec -it registry sh |
check space used before clean:
1 | du -sch /var/lib/registry/docker/ |
then run garbage collection:
1 | bin/registry garbage-collect /etc/docker/registry/config.yml |
Note that
/etc/docker/registry/config.yml
is the configuration file for docker registry.
then if you check space used again
1 | du -sch /var/lib/registry/docker/ |
Other Notice
If you have one image with multiple tags and the digests are the same, delete one of them will remove them all.
If you have one image with multiple tags and the digests are different for each tag, deletion is tag-separate.
Secure Docker Registry
In ICP4D cluster, we use secure docker registry with https
and login credentials. But first let’s understand how to set up secure docker registry, see my blog <<Secure Docker Registry>>
.
login, see .docker/config curl works?
Check Availability
If you don’t have authentication, you will get 401
Unauthorized status, for example, here https://mycluster.icp:8500
is the private secure docker registry location:
1 | curl --head -k -X GET https://mycluster.icp:8500/v2/ |
Here Www-Authenticate
tells you Auth Server address.
In my OpenShift
cluster:
1 | curl -k --head -X GET https://172.30.159.11:5000/v2/ |
Need to apply token from Auth Server.
1 | ====================================================================================== |
1 | curl -u openshift:NOyEoOrA0FDm2IgYqlHCDkDepQ7I0vw-7Sx8RzPUmzw -X GET "https://172.30.159.11:5000/openshift/token?service=172.30.159.11:5000&scope=repository:demo1-ds/busybox:pull,push" |
https://docs.docker.com/registry/spec/auth/token/
List Images
1 |
List Tags
1 |
Remove Images
1 |