GitLab registry cleanup policy: how to keep most recent n tags, but delete others?

Question

I'm a bit confused about GitLab's registry cleanup policy.

I have several registries with tags for the image foo being pushed every few weeks or so, named foo:v1.0.0 , foo:v1.0.1 etc. The tag latest is always pushed alongside the versioned tags. However, latest is never used in production in order to pin the dependencies.

I would like to keep the most recent 1 tag, and clear out any tags older than, say, 30 days.

I currently have the following policy set:

I would expect only two tags to be inside my repository ( latest and, eg foo:v1.0.1 ), yet, there are 15, dating back to 6 months ago and earlier.

Now, when I look at the "Keep the most recent line" — what does "1 tag per image name" mean here, exactly? Is the "image name" the name of the image, eg foo , then the policy should not leave 15 images in my repository, only 1.

If "image name" is actually the name plus the tag (eg, foo:v1.0.0 ), what is the purpose of this setting? It means that any image will be kept!

I guess I could remove the keep rules, but I also do not want to simply delete all images except the latest one, since latest is never used in production, and in case that I don't update an image within 30 days, that will be deleted to, and I cannot deploy anymore.

Is there a good solution to this, other than writing my own cleanup script?

Answer 1

what does "1 tag per image name" mean here, exactly?

"image name" really means 'repository' in the docker registry API sense of the word. I'm guessing the GitLab UI avoids this term to prevent conflation with 'repository' in the git/project sense of the word, since it would be confusing because a single GitLab project/repo can hold many separate docker images.

So, suppose you have two images myproject/foo and myproject/bar , "1 tag per image" means 1 tag for the image myproject/foo and 1 tag for myproject/bar . It does not mean a combination of image and tag.

Your keep rule of .* is preventing any tags from being cleaned up, per step 4 of the cleanup policy :

The cleanup policy:

1. Collects all tags for a given repository in a list.
2. Excludes the tag named latest from the list.
3. Evaluates the name_regex (tags to expire), excluding non-matching names from the list.
4. Excludes from the list any tags matching the name_regex_keep value (tags to preserve).
5. Excludes any tags that do not have a manifest (not part of the options in the UI).
6. Orders the remaining tags by created_date .
7. Excludes from the list the N tags based on the keep_n value (Number of tags to retain).
8. Excludes from the list the tags more recent than the older_than value (Expiration interval).
9. Finally, the remaining tags in the list are deleted from the Container Registry.

So, you would probably want to change your keep regex to match only the images you would want to keep -- like the tags you use in production (eg v.+ to match tags starting with v ).

Answer 2

I've given up trying to understand how the cleanup policies work, and instead wrote a Python script that does the entire cleanup.

The code can be found in this Gist .

The basic idea is to:

• Fetch all tags
• Exclude the ones containing "latest"
• Extract, if any, a tag prefix (eg customer-v1.2.3 )
• Group by prefixes, and for each prefix group, keep at most N tags
• Delete the others