How to delete images from a private docker registry?

Question

I run a private docker registry, and I want to delete all images but the latest from a repository. I don't want to delete the entire repository, just some of the images inside it. The API docs don't mention a way to do this, but surely it's possible?

@Houtman, have a look here: stackoverflow.com/questions/62211899/… — Michael Zelensky, Oct 24 '20 at 12:56
@MichaelZelensky That link does not explain the unsupported error, does it for you? if yes, could you summarize it please? — Melardev, yesterday

Community · Accepted Answer · 2017-05-23 12:26:33Z

Currently you cannot use the Registry API for that task. It only allows you to delete a repository or a specific tag.

In general, deleting a repository means, that all the tags associated to this repo are deleted.

Deleting a tag means, that the association between an image and a tag is deleted.

None of the above will delete a single image. They are left on your disk.

Workaround

For this workaround you need to have your docker images stored locally.

A workaround for your solution would be to delete all but the latest tags and thereby potentially removing the reference to the associated images. Then you can run this script to remove all images, that are not referenced by any tag or the ancestry of any used image.

Terminology (images and tags)

Consider an image graph like this where the capital letters (A, B, ...) represent short image IDs and <- means that an image is based on another image:

 A <- B <- C <- D

Now we add tags to the picture:

 A <- B <- C <- D
           |    |
           |    <version2>
           <version1>

Here, the tag <version1> references the image C and the tag <version2> references the image D.

Refining your question

In your question you said that you wanted to remove

all images but the latest

. Now, this terminology is not quite correct. You've mixed images and tags. Looking at the graph I think you would agree that the tag <version2> represents the latest version. In fact, according to this question you can have a tag that represents the latest version:

 A <- B <- C <- D
           |    |
           |    <version2>
           |    <latest>
           <version1>

Since the <latest> tag references image D I ask you: do you really want to delete all but image D? Probably not!

What happens if you delete a tag?

If you delete the tag <version1> using the Docker REST API you will get this:

 A <- B <- C <- D
                |
                <version2>
                <latest>

Remember: Docker will never delete an image! Even if it did, in this case it cannot delete an image, since the image C is part of the ancestry for the image D which is tagged.

Even if you use this script, no image will be deleted.

When an image can be deleted

Under the condition that you can control when somebody can pull or push to your registry (e.g. by disabling the REST interface). You can delete an image from an image graph if no other image is based on it and no tag refers to it.

Notice that in the following graph, the image D is not based on C but on B. Therefore, D doesn't depend on C. If you delete tag <version1> in this graph, the image C will not be used by any image and this script can remove it.

 A <- B <--------- D
      \            |
       \           <version2>
        \          <latest>
         \ <- C
              |
              <version1>

After the cleanup your image graph looks like this:

 A <- B <- D
           |
           <version2>
           <latest>

Is this what you want?

You're right--deleting the tags didn't actually delete the associated images. Is there any way to delete the images given ssh access to the box, then? — Leo, Aug 28 '14 at 20:19
I've edited my answer with a workaround that does the job for me. I hope it helps. — Konrad Kleine, Aug 29 '14 at 11:52
That's exactly it--I understand that images are built incrementally, but I need a way to prune those dead branches. Thanks! — Leo, Aug 29 '14 at 20:56
@KonradKleine how do you make the images graph out of the list of images you get from the registry? — Rafael Barros, Dec 15 '14 at 22:46
Garbage collecting has finally arrived to the Registry v2.4.0 docs.docker.com/registry/garbage-collection — Markus Rexhepi-Lindberg, Apr 14 '16 at 7:32

Answer 2

Show 3 more comments

Answer 3

Getting unsupported error. I have given proper digest value as the reference.
– Winster
Feb 22 '18 at 6:36
@Winster: what version of registry are you connecting to?
– byrnedo
Feb 22 '18 at 7:50
1

@JamesThomasMoon1979 updated with instructions about getting the reference hash.
– byrnedo
Aug 9 '18 at 11:23
12

on V2 too and getting error {"errors":[{"code":"UNSUPPORTED","message":"The operation is unsupported."}]}
– Gadelkareem
Oct 31 '18 at 21:30

Show 2 more comments

hirro · Answer 4 · 2016-10-28 07:17:04Z

This is really ugly but it works, text is tested on registry:2.5.1. I did not manage to get delete working smoothly even after updating configuration to enable delete. The ID was really difficult to retrieve, had to login to get it, maybe some misunderstanding. Anyway, the following works:

Login to the container
```
docker exec -it registry sh
```
Define variables matching your container and container version:
```
export NAME="google/cadvisor"
export VERSION="v0.24.1"
```

Move to the the registry directory:

cd /var/lib/registry/docker/registry/v2

Delete files related to your hash:

find . | grep `ls ./repositories/$NAME/_manifests/tags/$VERSION/index/sha256`| xargs rm -rf $1

Delete manifests:

rm -rf ./repositories/$NAME/_manifests/tags/$VERSION

Logout
```
exit
```

Run the GC:

docker exec -it registry  bin/registry garbage-collect  /etc/docker/registry/config.yml

If all was done properly some information about deleted blobs is shown.

i followed the same steps mentioned above, but when i checked the docker registry {container} disk usage it was showing same as before doing the steps... any idea why? — Savio Mathew, Apr 26 '18 at 10:28
doesn't work. Easy to check. When you do the following steps and push the repo again it says "064794e955a6: Layer already exists " — Oduvan, Jul 23 '19 at 10:38

bguiz · Answer 5 · 2021-01-16 13:04:34Z

Problem 1

You mentioned it was your private docker registry, so you probably need to check Registry API instead of Hub registry API doc, which is the link you provided.

Problem 2

docker registry API is a client/server protocol, it is up to the server's implementation on whether to remove the images in the back-end. (I guess)

DELETE /v1/repositories/(namespace)/(repository)/tags/(tag*)

Detailed explanation

Below I demo how it works now from your description as my understanding for your questions.

I run a private docker registry. I use the default one, and listen on port 5000.

docker run -d -p 5000:5000 registry

Then I tag the local image and push into it.

$ docker tag ubuntu localhost:5000/ubuntu
$ docker push localhost:5000/ubuntu
The push refers to a repository [localhost:5000/ubuntu] (len: 1)
Sending image list
Pushing repository localhost:5000/ubuntu (1 tags)
511136ea3c5a: Image successfully pushed
d7ac5e4f1812: Image successfully pushed
2f4b4d6a4a06: Image successfully pushed
83ff768040a0: Image successfully pushed
6c37f792ddac: Image successfully pushed
e54ca5efa2e9: Image successfully pushed
Pushing tag for rev [e54ca5efa2e9] on {http://localhost:5000/v1/repositories/ubuntu/tags/latest}

After that I can use Registry API to check it exists in your private docker registry

$ curl -X GET localhost:5000/v1/repositories/ubuntu/tags
{"latest": "e54ca5efa2e962582a223ca9810f7f1b62ea9b5c3975d14a5da79d3bf6020f37"}

Now I can delete the tag using that API !!

$ curl -X DELETE localhost:5000/v1/repositories/ubuntu/tags/latest
true

Check again, the tag doesn't exist in my private registry server

$ curl -X GET localhost:5000/v1/repositories/ubuntu/tags/latest
{"error": "Tag not found"}

Please, see my answer below for an explanation why this command doesn't help. — Konrad Kleine, Aug 28 '14 at 14:21
You delete tags but not the image data. The latter is done by the script I reference after you have deleted a tag. I also use the registry API to delete a tag. — Konrad Kleine, Aug 31 '14 at 14:53
it is upto each registry API server's implementation, from protocol's point of view, it doesn't exist. — Larry Cai, Aug 31 '14 at 14:57
You're right that it's up to the implementation--but I was/am looking for a way to delete image data from the canonical registry image. SSHing in and running a script works, even if it's not ideal. As a side note I still think it's an incomplete API--you can delete tags, but if you GET /images you still see all the leftover image data. — Leo, Sep 5 '14 at 8:24
Thanks for mentioning Registry API, was looking for a way to DELETE an image in private registry. This method is good enough for me even if it's just 'untagging' without actually free up disk space. — Howard Lee, Nov 11 '14 at 18:10

Yan Foto · Answer 6 · 2021-05-22 13:51:30Z

There are some clients (in Python, Ruby, etc) which do exactly that. For my taste, it isn't sustainable to install a runtime (e.g. Python) on my registry server, just to housekeep my registry!

So deckschrubber is my solution:

go get github.com/fraunhoferfokus/deckschrubber
$GOPATH/bin/deckschrubber

images older than a given age are automatically deleted. Age can be specified using -year, -month, -day, or a combination of them:

$GOPATH/bin/deckschrubber -month 2 -day 13 -registry http://registry:5000

UPDATE: here's a short introduction on deckschrubber.

deckschrubber is pretty good - very easy to install (single binary), and lets you delete images by name (with regex match) as well as age. — RichVel, Sep 5 '17 at 13:23
ERRO[0000] Could not delete image! repo=.... tag=latest :/ — scythargon, Dec 5 '17 at 21:38
@scythargon impossible to say wether your specification is correct. — jitter, May 14 '18 at 10:42
Unfortunately, it will not remove images which don't have tags. So if you keep pushing images on a single tag, it will only check the one which is tagged, not the other ones. — Krystian, Mar 25 '19 at 10:06

fgul · Answer 7 · 2019-11-04 07:24:04Z

Briefly;

1) You must typed following command for RepoDigests of a docker repo;

## docker inspect <registry-host>:<registry-port>/<image-name>:<tag>
> docker inspect 174.24.100.50:8448/example-image:latest


[
    {
        "Id": "sha256:16c5af74ed970b1671fe095e063e255e0160900a0e12e1f8a93d75afe2fb860c",
        "RepoTags": [
            "174.24.100.50:8448/example-image:latest",
            "example-image:latest"
        ],
        "RepoDigests": [
            "174.24.100.50:8448/example-image@sha256:5580b2110c65a1f2567eeacae18a3aec0a31d88d2504aa257a2fecf4f47695e6"
        ],
...
...

${digest} = sha256:5580b2110c65a1f2567eeacae18a3aec0a31d88d2504aa257a2fecf4f47695e6

2) Use registry REST API

  ##curl -u username:password -vk -X DELETE registry-host>:<registry-port>/v2/<image-name>/manifests/${digest}


  >curl -u example-user:example-password -vk -X DELETE http://174.24.100.50:8448/v2/example-image/manifests/sha256:5580b2110c65a1f2567eeacae18a3aec0a31d88d2504aa257a2fecf4f47695e6

You should get a 202 Accepted for a successful invocation.

3-) Run Garbage Collector

docker exec registry bin/registry garbage-collect --dry-run /etc/docker/registry/config.yml

registry — registry container name.

For more detail explanation enter link description here

isalgueiro · Answer 8 · 2020-08-25 09:28:20Z

Another tool you can use is registry-cli. For example, this command:

registry.py -l "login:password" -r https://your-registry.example.com --delete

will delete all but the last 10 images.

Igor Rizhyi · Answer 9 · 2020-11-20 13:43:41Z

There is also a way you can remove some old images from repository just based on the date when it was created.

To do that enter your docker registry container and get the list of manifest's revisions for some specific repository:

ls -latr /var/lib/registry/docker/registry/v2/repositories/YOUR_REPO/_manifests/revisions/sha256/

The output then may be used within the request (with sha256 prefix):

curl -v --silent -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X DELETE http://DOCKER_REGISTRY_HOST:5000/v2/YOUR_REPO/manifests/sha256:OUTPUT_LINE

And of course do not forget to execute 'garbage-collect' command after that:

bin/registry garbage-collect /etc/docker/registry/config.yml

Vidar Langseid · Answer 10 · 2017-09-14 10:38:54Z

This docker image includes a bash script that can be used to remove images from a remote v2 registry : https://hub.docker.com/r/vidarl/remove_image_from_registry/

Shrijan Tiwari · Answer 11 · 2018-07-26 17:38:55Z

Below Bash Script Deletes all the tags located in registry except the latest.

for D in /registry-data/docker/registry/v2/repositories/*; do
if [ -d "${D}" ]; then
    if [ -z "$(ls -A ${D}/_manifests/tags/)" ]; then
        echo ''
    else
        for R in $(ls -t ${D}/_manifests/tags/ | tail -n +2); do
            digest=$(curl -k -I -s -H -X GET http://xx.xx.xx.xx:5000/v2/$(basename  ${D})/manifests/${R} -H 'accept: application/vnd.docker.distribution.manifest.v2+json'  | grep Docker-Content-Digest | awk '{print $2}' )
            url="http://xx.xx.xx.xx:5000/v2/$(basename  ${D})/manifests/$digest"
            url=${url%$'\r'}
            curl -X DELETE -k -I -s   $url -H 'accept: application/vnd.docker.distribution.manifest.v2+json' 
        done
    fi
fi
done

After this Run

docker exec $(docker ps | grep registry | awk '{print $1}') /bin/registry garbage-collect /etc/docker/registry/config.yml

Could you elaborate a bit more on how to use this fine script? — Khalil Gharbaoui, Oct 3 '19 at 16:29

Ilya Krigouzov · Answer 12 · 2018-12-29 12:50:05Z

Simple ruby script based on this answer: registry_cleaner.

You can run it on local machine:

./registry_cleaner.rb --host=https://registry.exmpl.com --repository=name --tags_count=4

And then on the registry machine remove blobs with /bin/registry garbage-collect /etc/docker/registry/config.yml.

alonana · Answer 13 · 2020-07-01 10:34:51Z

Here is a script based on Yavuz Sert's answer. It deletes all tags that are not the latest version, and their tag is greater than 950.

#!/usr/bin/env bash


CheckTag(){
    Name=$1
    Tag=$2

    Skip=0
    if [[ "${Tag}" == "latest" ]]; then
        Skip=1
    fi
    if [[ "${Tag}" -ge "950" ]]; then
        Skip=1
    fi
    if [[ "${Skip}" == "1" ]]; then
        echo "skip ${Name} ${Tag}"
    else
        echo "delete ${Name} ${Tag}"
        Sha=$(curl -v -s -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X GET http://127.0.0.1:5000/v2/${Name}/manifests/${Tag} 2>&1 | grep Docker-Content-Digest | awk '{print ($3)}')
        Sha="${Sha/$'\r'/}"
        curl -H "Accept: application/vnd.docker.distribution.manifest.v2+json" -X DELETE "http://127.0.0.1:5000/v2/${Name}/manifests/${Sha}"
    fi
}

ScanRepository(){
    Name=$1
    echo "Repository ${Name}"
    curl -s http://127.0.0.1:5000/v2/${Name}/tags/list | jq '.tags[]' |
    while IFS=$"\n" read -r line; do
        line="${line%\"}"
        line="${line#\"}"
        CheckTag $Name $line
    done
}


JqPath=$(which jq)
if [[ "x${JqPath}" == "x" ]]; then
  echo "Couldn't find jq executable."
  exit 2
fi

curl -s http://127.0.0.1:5000/v2/_catalog | jq '.repositories[]' |
while IFS=$"\n" read -r line; do
    line="${line%\"}"
    line="${line#\"}"
    ScanRepository $line
done

How to delete images from a private docker registry?

13 Answers

Workaround

Terminology (images and tags)

Refining your question

What happens if you delete a tag?

When an image can be deleted

Step 1: Listing catalogs

Step 2: Listing tags for related catalog

Step 3: List manifest value for related tag

Step 4: Delete marked manifests

Not the answer you're looking for? Browse other questions tagged docker docker-registry or ask your own question.