使用 api 从 nexus 注册表中删除 docker 图像
[英]Delete docker images from nexus registry using api
问题描述
There's a nexus setup running for docker registry.
有一个为 docker 注册表运行的关系设置。 I'm struggling to delete old/unnecessary images from nexus setup using the APIs.So far I'm aware of below available APIs.我正在努力使用 API 从 nexus 设置中删除旧的/不必要的图像。到目前为止,我知道以下可用的 API。 There are 2 requirements:有2个要求:
- Delete images older than 30 days.删除超过 30 天的图像。
- Keep at least 5 tags of each image.每张图片至少保留 5 个标签。
The delete api can only delete using the digest of the images but I"m not sure how to find exact one for the tags of images. Search api don't seem to work for docker images. Can someone please help?删除 api 只能使用图像的摘要删除,但我不确定如何找到图像标签的确切标签。搜索 api 似乎不适用于 Z05B6053C41A2130AFDZ6FC3B158BDA4E 图像。
## Search api https://help.sonatype.com/repomanager3/integrations/rest-and-integration-api/search-api?_ga=2.253346826.2007475959.1640178248-1042170715.1640178248#SearchAPI-SearchComponents ## Search api https://help.sonatype.com/repomanager3/integrations/rest-and-integration-api/search-api?_ga=2.253346826.2007475959.1640178248-1042170715.1640178248#SearchAPI-SearchComponents
## Find all catalog images under docker registery curl -u admin:adminPass -X "GET" nexus.example.com/v2/_catalog | jq ## 查找 docker registery curl -u admin:adminPass -X "GET" nexus.example.com/v2/_catalog | jq下的所有目录图像curl -u admin:adminPass -X "GET" nexus.example.com/v2/_catalog | jq
## Get all tags of an image curl -u admin:adminPass -X "GET" nexus.example.com/v2/abc-web-service-prod/tags/list ## 获取图像的所有标签curl -u admin:adminPass -X "GET" nexus.example.com/v2/abc-web-service-prod/tags/list
## Get manifests curl -u admin:adminPass -X "GET" "nexus.example.com/v2/abc-web-service-stage-2/manifests/5.2.6_1" | jq ## 获取清单curl -u admin:adminPass -X "GET" "nexus.example.com/v2/abc-web-service-stage-2/manifests/5.2.6_1" | jq curl -u admin:adminPass -X "GET" "nexus.example.com/v2/abc-web-service-stage-2/manifests/5.2.6_1" | jq
## Delete by digest curl -i -u admin:adminPass -X "DELETE" "nexus.example.com/v2/abc-web-service/manifests/sha256:8829ce7278c1151f61438dcfea20e3694fee2241a75737e3a8de31a27f0014a5" ## 按摘要删除curl -i -u admin:adminPass -X "DELETE" "nexus.example.com/v2/abc-web-service/manifests/sha256:8829ce7278c1151f61438dcfea20e3694fee2241a75737e3a8de31a27f0014a5"
2 个解决方案
解决方案1
0 2021-12-23 15:24:45
Two things are missing from the "get manifests" example. “获取清单”示例中缺少两件事。 First, if you include the http headers, you'll likely get the digest field, or you can skip the jq and pipe the result into a sha256sum to get the digest.首先,如果您包含 http 标头,您可能会获得摘要字段,或者您可以跳过 jq 和 pipe 将结果转换为 sha256sum 以获得摘要。 But you also need to add an "Accept" header for the various media types of a manifest, otherwise the registry will convert it to an older schema v1 syntax which will not have the same digest.但是您还需要为清单的各种媒体类型添加“接受”header,否则注册表会将其转换为不具有相同摘要的旧模式 v1 语法。 Here's an example that does the two v2 docker media types:这是一个执行两种 v2 docker 媒体类型的示例:
api="application/vnd.docker.distribution.manifest.v2+json"
apil="application/vnd.docker.distribution.manifest.list.v2+json"
curl -H "Accept: ${api}" -H "Accept: ${apil}" \
-u admin:adminPass \
-I -s "nexus.example.com/v2/abc-web-service-stage-2/manifests/5.2.6_1"
The next issue you'll run into with your policy is the 30 day requirement.您的保单将遇到的下一个问题是 30 天要求。 You can get the creation time on many images by pulling their image config blob (it's listed in the manifest), but that date will be when the image was created, not when it was pushed or last pulled.您可以通过拉取图像配置 blob(它在清单中列出)来获取许多图像的创建时间,但该日期将是创建图像的时间,而不是推入或最后拉出图像的时间。 There have been suggestions to add API's to OCI to handle more metadata, but we're still a ways off from that, and further still to get registry providers to implement them.有人建议将 API 添加到 OCI 以处理更多元数据,但我们仍然有一段路要走,而且还要让注册提供者来实现它们。 So you'd end up deleting things that are likely being used.所以你最终会删除可能被使用的东西。 Even the 5 tag rule can be problematic if several new tags are created working through bugs in CI and you age out the image currently deployed in production.如果通过 CI 中的错误创建了几个新标签,并且您使当前部署在生产中的映像过时,那么即使是 5 个标签规则也可能存在问题。
With that all said, some tooling that I work on called regclient may help.综上所述,我使用的一些名为regclient的工具可能会有所帮助。 The regctl command gives you a way to script this in a shell, eg: regctl命令为您提供了一种在 shell 中编写脚本的方法,例如:
#!/bin/sh
registry="nexus.example.com"
cutoff="$(date -d -30days '+%s')"
for repo in $(regctl repo ls "$registry"); do
# The "head -n -5" ignores the last 5 tags, but you may want to sort that list first.
for tag in $(regctl tag ls "$registry/$repo" | head -n -5); do
# This is the most likely command to fail since the created timestamp is optional, may be set to 0,
# and the string format might vary.
# The cut is to remove the "+0000" that breaks the "date" command.
created="$(regctl image config "$registry/$repo:$tag" --format '{{.Created}}' | cut -f1,2,4 -d' ')"
createdSec="$(date -d "$created" '+%s')"
# both timestamps are converted to seconds since epoc, allowing numeric comparison
if [ "$createdSec" -lt "$cutoff" ]; then
# next line is prefixed with echo for debugging, delete the echo to run the tag delete command
echo regctl tag rm "$registry/$repo:$tag"
fi
done
done
Note that I'm using "regctl tag rm" above, which is different from an image manifest delete you're seeing in the API.请注意,我在上面使用了“regctl tag rm”,这与您在 API 中看到的图像清单删除不同。 This will attempt to do an OCI tag delete API first, which likely isn't supported by your registry.这将首先尝试执行 OCI 标记删除 API,这可能不受您的注册表支持。 It falls back to pushing a dummy manifest and deleting that.它回退到推送一个虚拟清单并删除它。 The alternative of deleting the current manifest the tag points to is you may delete more tags than intended (you could have 5 tags all pointing to the same manifest).删除标签指向的当前清单的替代方法是您可能会删除比预期更多的标签(您可能有 5 个标签都指向同一个清单)。
If you want to further automate this, regbot in that same repo lets you build a policy and run it on a schedule to constantly cleanup old images according to your rules.如果您想进一步自动化此操作,同一 repo 中的regbot可让您构建策略并按计划运行它,以根据您的规则不断清理旧图像。
In addition to regclient, there's also crane and skopeo that may also help in this space, but the features of each of these will vary.除了 regclient,还有可能在这个领域有所帮助的起重机和 skopeo,但它们各自的功能会有所不同。
解决方案2
0 2021-12-23 18:27:41
I found a great solution to this.我找到了一个很好的解决方案。 https://github.com/andrey-pohilko/registry-cli
1. Create a docker image [name: registry-cli:1.0.1] using below Dockerfile 1. 使用下面的 Dockerfile 创建一个 docker 映像 [名称:registry-cli:1.0.1]
ADD requirements-build.txt /
RUN pip install -r /requirements-build.txt
ADD registry.py /
ENTRYPOINT ["/registry.py"]
2. Use below command to list down all images:tags in your private nexus registry. 2. 使用以下命令列出您的私有关系注册表中的所有图像:标签。 docker run --rm registry-cli:1.0.1 -l admin:adminPass -r http://nexus.example.com
3. To get all tags of a particular image. 3. 获取特定图像的所有标签。 docker run --rm registry-cli:1.0.1 -l admin:adminPass -r http://nexus.example.com-i <name-of-the-image1> <name-of-the-image2>
4. To delete all old tags of a particular image but keep latest 10 tags. 4. 删除特定图像的所有旧标签,但保留最新的 10 个标签。 docker run --rm registry-cli:1.0.1 -l admin:adminPass -r http://nexus.example.com -i <name-of-the-image1> --delete
5. To delete all the old tags of all the images in the repository but keep 10 latest tags of each image docker run --rm registry-cli:1.0.1 -l admin:adminPass -r http://nexus.example.com --delete 5. 要删除存储库中所有镜像的所有旧标签,但保留每个镜像的 10 个最新标签docker run --rm registry-cli:1.0.1 -l admin:adminPass -r http://nexus.example.com --delete
6. If you wish to keep 20 images instead of 10 then use --num docker run --rm registry-cli:1.0.1 -l admin:adminPass -r http://nexus.example.com --delete --num 20 6. 如果您希望保留 20 个图像而不是 10 个,请使用 --num docker run --rm registry-cli:1.0.1 -l admin:adminPass -r http://nexus.example.com --delete --num 20
7. Once you're done deleting the older tags of the images, run task "delete unused manifests and docker images" 7. 删除图像的旧标签后,运行任务“删除未使用的清单和 docker 图像”
8. Post step:7, run compaction task to reclaim the storage. 8. Post step:7,运行compaction任务回收存储。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.