This shows you the differences between two versions of the page.
Last revision | |||
— | blog:2017:11:27:2017-11-27_-_cleaning_up_docker-registry [2017/11/27 20:49] – created basz | ||
---|---|---|---|
Line 1: | Line 1: | ||
+ | ====== 2017-11-27 - cleaning up docker-registry ====== | ||
+ | {{ : | ||
+ | |||
+ | it has been 2 months since last post and over 5 months since anything more verbose. [[https:// | ||
+ | |||
+ | when setting up a new service, one must typically accept a bit of maintenance as well. :) there are 3 things you need to cover on your own, that might not come very obvious, if you have not set up a docker-registry instance before, namely: | ||
+ | |||
+ | - HTTPS access | ||
+ | - authentication/ | ||
+ | - removal of (old?) images | ||
+ | |||
+ | first one is simple -- just put [[wp> | ||
+ | |||
+ | second one is not very complex either - for many cases it should be enough to configure the very same nginx instance you're using for HTTPS, to enforce basic-auth on each and every path to reverse-proxied service. | ||
+ | |||
+ | the third thing however is FAR from obvious. more over there is very little help on the internet. some ppl write a lot of voodoo scripts, that manipulate registry' | ||
+ | |||
+ | but how to use it? i've spent way more time i'd like to admit, to solve this issue. if you hit this page with the same problem -- how to remove an image from a private registry, here's the procedure. | ||
+ | |||
+ | ===== configuration ===== | ||
+ | |||
+ | first thing, that is very easy to miss, is configuration. by default docker-registry does NOT allow any explicit removals! even if you set up everything else correctly, w/o this option the feature will just not work. what you need to do is edit ''/ | ||
+ | |||
+ | < | ||
+ | storage: | ||
+ | delete: | ||
+ | enabled: true | ||
+ | </ | ||
+ | |||
+ | ===== remove request ===== | ||
+ | |||
+ | the API looks very simple -- just send a '' | ||
+ | |||
+ | in order to get the ID, the tricky part is that special header must be set in the '' | ||
+ | |||
+ | so the example call via '' | ||
+ | |||
+ | < | ||
+ | curl -q -v \ | ||
+ | -H " | ||
+ | -X GET \ | ||
+ | http:// | ||
+ | </ | ||
+ | |||
+ | the output will look similar to this: '' | ||
+ | |||
+ | now that we finally have the // | ||
+ | |||
+ | < | ||
+ | curl -v -X DELETE http:// | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== remove data ===== | ||
+ | |||
+ | if you made it this far, you'll notice that while you no longer can '' | ||
+ | |||
+ | to actually wipe the data from the disk, garbage collector must be called, inside the docker-registry image, with a configuration file as a parameter. the call looks like this: | ||
+ | |||
+ | < | ||
+ | docker exec -it my-registry-container \ | ||
+ | registry garbage-collect / | ||
+ | </ | ||
+ | |||
+ | ...and wait. for bigger registry this can take some minutes to complete and will flood your screen with messages. | ||
+ | |||
+ | when the command will exit, your cleanup has just finished. | ||
+ | |||
+ | oh -- and btw: don't run this whole procedure in parallel with adding stuff to your registry. even though it only uses the official API and provided commands, it still tends to leave registry in an inconsistent state! :/ | ||
+ | |||
+ | |||
+ | ===== aftermath ===== | ||
+ | |||
+ | despite the procedure being from hell, pretty much undocumented (well -- there is a documentation for all of it, but left on your own it is anything but trivial to glue the above procedure up!) and problematic in terms of stability, it is not the end of the story. | ||
+ | |||
+ | when you use registry to store CI-build microservices images (which seems very natural), it is very common to have cleanup procedure of old images. explicit deleting some images is only a one step of a bigger run in there. of course getting list of images ordered by creation time is tricky as well, since tags do not have a creation date -- only images have it. and all of the sudden automation of the cleanup becomes even bigger pain. | ||
+ | |||
+ | long story short -- as of writing this post, the procedure is terrible and barely usable. it think there is huge opportunity for improvements here and i hope we'll see better API in the future. in particular it would be nice to have a registry-operating API embedded directly into '' |