1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
|
#!/bin/bash
IMAGE_ARG=""
HOST=""
IMAGE=""
URI=""
TAG=""
USERNAME=""
CREDENTIALS_STRING=""
INSECURE=""
RAW_URL=""
RAW_HTTP_METHOD=""
RAW_HTTP_HEADER=""
TAG_ONLY=false
function printUsage
{
local RESULT=$1
if [ "$RESULT" == "" ]; then
RESULT=0
fi
cat << EOF
Usage:
$ ./remove_image_from_registry.sh [OPTIONS] [IMAGE]
IMAGE
Image name has the format registryhost:port/repository/imagename:version
For instance : mydockerregistry:5000/myrepo/zoombie:latest
Note that the version tag ("latest" in this example) is mandatory.
Please note that this script will delete the image from the repository, not only the tag; if the
image you are deleting have multiple tags ( for instance "1.0" and "latest" ), both tags will be
removed from the registry.
Docker registry does not support deleting only a tag ATM, ref https://github.com/docker/distribution/issues/2317
The option "--tag-only" tries to circumvent this by restoring other tags which also disappear from
the registry during the delete. However, this is not entirely safe:
- Do not delete multiple images concurrently.
- Do not run registry garbage collector while deleting images (this you should never do anyway....).
- Do not create new local tags for the image during the delete operation.
REQUIREMENTS
The registry must run a v2 registry and have token based authentication enabled.
Deletion must be enabled on the registry server (REGISTRY_STORAGE_DELETE_ENABLED=true).
NOTE
The blobs are actually not deleted from the registry server automatically after running this script.
In order to do that you must manually (for the time being) run the registry garbage collector.
See https://docs.docker.com/registry/garbage-collection/ for more info about this.
OPTIONS
-h, --help
Print help
--insecure
Connect to a registry which has a self-signed SSL certificate
-p
Prompt for password
-u <username>
Use the given username when authenticating with the registry
--raw <url> <http-method> [http-header]
Send custom request to the registry. When using this argument, do not use the [IMAGE] argument too.
Example:
./remove_image_from_registry.sh \\
-u admin \\
--insecure \\
--raw \\
mydockerregistry:5000/v2/imagename/manifests/latest \\
GET \\
"Accept: application/vnd.docker.distribution.manifest.v2+json"
--tag-only
After deleting the image, try to recover all other tags which also pointed to the image
Password may also be set using the environment variable REGISTRY_PASSWORD
$ export REGISTRY_PASSWORD=sesame
EOF
exit $RESULT;
}
function validateImageName
{
local IMAGE_NAME
IMAGE_NAME="$1"
if [[ "$IMAGE_NAME" == https://* ]]; then
echo "Image name or raw URL should not start with https://"
exit 1
fi
if [[ "$IMAGE_NAME" == http://* ]]; then
echo "Image name or raw URL should not start with http://"
echo "Anyway, registry must use SSL in order to make token based auth work"
exit 1
fi
}
function parseArguments
{
while (( "$#" )); do
if [ "$1" = "-u" ]; then
shift
USERNAME=$1
elif [ "$1" = "-p" ]; then
echo -n "Password: "
read -s REGISTRY_PASSWORD
echo
elif [ "$1" = "--insecure" ]; then
INSECURE=" --insecure"
elif [ "$1" = "--help" ]; then
printUsage
elif [ "$1" = "-h" ]; then
printUsage
elif [ "$1" = "--raw" ]; then
shift
RAW_URL="$1"
validateImageName "$1"
shift
RAW_HTTP_METHOD="$1"
shift
RAW_HTTP_HEADER="$1"
elif [ "$1" = "--tag-only" ]; then
TAG_ONLY=true
else
# If first param is a dash, we have an invalid argumwent
if [ ${1:0:1} == "-" ]; then
echo "Error: Unknown parameter : $1"
exit 1
fi
if [ "$IMAGE_ARG" != "" ]; then
echo "Error: You may only provide IMAGE name once"
exit 1
fi
validateImageName "$1"
IMAGE_ARG="$1"
HOST=`echo $IMAGE_ARG|cut -f 1 -d "/"`
IMAGE=`echo $IMAGE_ARG|cut -f 2- -d "/"|cut -f 1 -d ":"`
TAG=`echo $IMAGE_ARG|cut -f 2- -d "/"|cut -f 2 -d ":"`
fi
shift
done
if [ "$IMAGE_ARG" = "" ] && [ "$RAW_URL" = "" ]; then
echo "Error: You need to provide image name"
printUsage 1
fi
if [ "$USERNAME" != "" ]; then
CREDENTIALS_STRING=" --user ${USERNAME}:${REGISTRY_PASSWORD}"
fi
}
# $1 is URL
# $2 is HTTP METHOD (default GET)
# $2 is additional header ( optional )
function sendRegistryRequest
{
local URL
local WWW_AUTH_HEADER
local TOKEN
local TOKEN_RESP
local REALM
local SERVICE
local SCOPE
local CUSTOM_HEADER
local HTTP_METHOD
local CURL_HTTP_METHOD_OPTION
local CURL_ARG
local RESULT
URL="$1"
CURL_HTTP_METHOD_OPTION="-X"
if [ "$2" != "" ]; then
HTTP_METHOD="$2"
else
HTTP_METHOD="GET"
fi
# If HTTP_METHOD == "HEAD", we'll need to use -I option instead
if [ $HTTP_METHOD = "HEAD" ]; then
CURL_HTTP_METHOD_OPTION="-I"
HTTP_METHOD=""
fi
if [ "$3" != "" ]; then
CUSTOM_HEADER="$3"
else
CUSTOM_HEADER=""
fi
WWW_AUTH_HEADER=`curl -sS -i $INSECURE $CURL_HTTP_METHOD_OPTION $HTTP_METHOD -H "Content-Type: application/json" ${URL} |grep Www-Authenticate|sed 's|.*realm="\(.*\)",service="\(.*\)",scope="\(.*\)".*|\1,\2,\3|'`
REALM=`echo $WWW_AUTH_HEADER|cut -f 1 -d ","`
SERVICE=`echo $WWW_AUTH_HEADER|cut -f 2 -d ","`
SCOPE=`echo $WWW_AUTH_HEADER|cut -f 3 -d ","`
TOKEN=`curl -f -sS $INSECURE -G --data-urlencode "service=${SERVICE}" --data-urlencode "scope=${SCOPE}" "${REALM}" -K- <<< $CREDENTIALS_STRING|jq .token|cut -f 2 -d "\""`
RESULT=$?
if [ $RESULT -ne 0 ] || [ "$TOKEN" == "" ]; then
# Run command again (without -f arg) and output message to std err
>&2 echo Auth server responded:
>&2 curl -sS $INSECURE -G --data-urlencode "service=${SERVICE}" --data-urlencode "scope=${SCOPE}" "${REALM}" -K- <<< $CREDENTIALS_STRING
if [ $RESULT -eq 0 ]; then
RESULT=42
fi
exit $RESULT
fi
# We only use -f parameter if we are doing a ordinary delete request
# If we are doing raw request, we output both request and response ( including headers )
if [ "$RAW_URL" = "" ]; then
CURL_ARG="-f "
else
CURL_ARG="-v "
fi
if [ "$CUSTOM_HEADER" == "" ]; then
curl $CURL_ARG -sS $INSECURE $CURL_HTTP_METHOD_OPTION $HTTP_METHOD -H "Authorization: Bearer $TOKEN" "${URL}"
RESULT=$?
if [ $RESULT -ne 0 ]; then
# Run command again (without -f arg) and output message to std err
>&2 curl -sS $INSECURE $CURL_HTTP_METHOD_OPTION $HTTP_METHOD -H "Authorization: Bearer $TOKEN" "${URL}"
exit $RESULT
fi
else
curl $CURL_ARG -i -sS $INSECURE $CURL_HTTP_METHOD_OPTION $HTTP_METHOD -H "$CUSTOM_HEADER" -H "Authorization: Bearer $TOKEN" "${URL}"
RESULT=$?
if [ $RESULT -ne 0 ]; then
# Run command again (without -f arg) and output message to std err
>&2 curl -i -sS $INSECURE $CURL_HTTP_METHOD_OPTION $HTTP_METHOD -H "$CUSTOM_HEADER" -H "Authorization: Bearer $TOKEN" "${URL}"
exit $RESULT
fi
fi
}
function getTags
{
TAGS=`sendRegistryRequest https://${HOST}/v2/${IMAGE}/tags/list GET |jq --compact-output .tags`
RESULT=$?
if [ "$TAGS" == "" ] || [ $RESULT -ne 0 ]; then
exit $RESULT
fi
# imagenames and tags cannot contain special characters or space. So let's just remove that JSON syntax
TAGS=${TAGS//\"}
TAGS=${TAGS//\[}
TAGS=${TAGS//\]}
TAGS=${TAGS//,/ }
}
# $1 is the tag you want to take backup of
# $2 is tag name used for backup (backup tag)
function backupLocalImage
{
# If the tag we are going to delete exists locally we need to take a backup of that
# then download the image from registry ( remote and local image may not match even though they have the same name )
if [ `docker images --format "{{.Repository}}:{{.Tag}}" ${HOST}/${IMAGE}:$1| wc -l` -eq 1 ]; then
BACKUP_TAKEN="true"
docker tag ${HOST}/${IMAGE}:$1 ${HOST}/${IMAGE}:$2
docker rmi ${HOST}/${IMAGE}:$1
fi
}
# $1 is the tag you want to restore to
# $2 is the tag name used when taking the backup (backup tag)
function restoreBackup
{
if [ `docker images --format "{{.Repository}}:{{.Tag}}" ${HOST}/${IMAGE}:$2| wc -l` -eq 1 ]; then
# docker rmi ${HOST}/${IMAGE}:$1
docker tag ${HOST}/${IMAGE}:$2 ${HOST}/${IMAGE}:$1
docker rmi ${HOST}/${IMAGE}:$2
fi
}
parseArguments "$@"
if [ "$RAW_URL" = "" ]; then
if [ "$TAG_ONLY" = "true" ]; then
getTags
backupLocalImage $TAG remove_image_from_registry1
docker pull ${HOST}/${IMAGE}:${TAG}
fi
SHA_REQ=`sendRegistryRequest https://${HOST}/v2/${IMAGE}/manifests/${TAG} GET "Accept: application/vnd.docker.distribution.manifest.v2+json"`
RESULT=$?
if [ "$SHA_REQ" == "" ] || [ $RESULT -ne 0 ]; then
docker rmi ${HOST}/${IMAGE}:${TAG}
restoreBackup $TAG remove_image_from_registry1
exit $RESULT
fi
SHA=$(echo "$SHA_REQ"|grep "Docker-Content-Digest:"|cut -f 2- -d ":"|tr -d '[:space:]')
sendRegistryRequest https://${HOST}/v2/${IMAGE}/manifests/${SHA} DELETE
if [ "$TAG_ONLY" = "true" ]; then
OLDTAGS="$TAGS"
getTags
TAGSPIPE="|${TAGS// /|}|"
for i in $OLDTAGS; do
# Clearly, we expect TAG to be gone
# We don't want to restore that one
if [ "$i" = "$TAG" ]; then
continue
fi
if [[ $TAGSPIPE != *"|$i|"* ]]; then
echo This tag needs to be restored : ${HOST}/${IMAGE}:${i}
backupLocalImage $i remove_image_from_registry2
docker tag ${HOST}/${IMAGE}:${TAG} ${HOST}/${IMAGE}:${i}
docker push ${HOST}/${IMAGE}:${i}
docker rmi ${HOST}/${IMAGE}:${i}
restoreBackup $i remove_image_from_registry2
fi
done
docker rmi ${HOST}/${IMAGE}:${TAG}
restoreBackup $TAG remove_image_from_registry1
fi
else
sendRegistryRequest "https://${RAW_URL}" "${RAW_HTTP_METHOD}" "${RAW_HTTP_HEADER}"
fi
|