10

I have pushed container images using gcloud docker push to the Google Container Registry. Two questions:

How do I cleanly remove a pushed container image from the registry? (I know I can remove a tag to an image and make it not accessible anymore.)

There are a bunch of Docker layers that an image brings with it. I want to remove all the unused layers with an image deletion.

Misha Brukman
  • 12,938
  • 4
  • 61
  • 78
Gabriel Petrovay
  • 20,476
  • 22
  • 97
  • 168
  • This question originated from http://stackoverflow.com/q/33671369/454103. There are some partial answers that do not completely solve the problem. – Gabriel Petrovay Nov 17 '15 at 11:29
  • Possible duplicate of [How to remove a pushed image in Google Container Registry](http://stackoverflow.com/questions/31523945/how-to-remove-a-pushed-image-in-google-container-registry) – Wernight Aug 24 '16 at 09:53

3 Answers3

12

UPDATE: You can now delete individual container images straight from the UI.

  1. Go to the Container Registry page.
  2. You should see a list of container images. Click the one you want to delete. Container Registry
  3. Select one or more tags, and click the delete button. Select and Delete images

As of Nov 2015: There is no way to currently delete a single container image from the registry cleanly. Right now, it is basically all or nothing. The GCR team is working on this!

Original Answer: I can't think of an easy way to delete individual images. You can delete ALL of the images by deleting the Cloud Storage bucket with gsutil rb gs://artifacts.<PROJECT-ID>.appspot.com. You can also use the storage browser and try to delete individual parts (https://console.developers.google.com/storage/browser/artifacts..appspot.com) but you would have to know the Docker hashes for each layer!

Philipp Kyeck
  • 18,402
  • 15
  • 86
  • 123
Sandeep Dinesh
  • 2,035
  • 19
  • 19
8

This can be done via Gcloud which means it can be done from the CLI or in a code pipeline (say at the end of CD).

As documented by Google, you can collect a list of all untagged images with:

gcloud container images list-tags  [HOSTNAME]/[PROJECT-ID]/[IMAGE] --filter='-tags:*' --format="get(digest)" --limit=$BIG_NUMBER

And then delete an image with:

gcloud container images delete  [HOSTNAME]/[PROJECT-ID]/[IMAGE]@DIGEST --quiet

where the above command is run for each output (DIGEST) from the first command.

A rough scripted example would be running the following post gcloud auth:

gcloud container images list-tags gcr.io/myProject/myApp --filter='-tags:*' --format="get(digest)" --limit=10 > tags && while read p; do gcloud container images delete "gcr.io/myProject/myApp@$p" --quiet; done < tags

A Github actions post CD image cleanup task would look like:

    needs: [CI, Build_myApp]
    runs-on: ubuntu-latest
    steps:
      - name: 'Authenticate to Gcloud'
        uses: google-github-actions/setup-gcloud@master
        with:
          project_id: myProject
          service_account_email: myServiceAccount@myProject.iam.gserviceaccount.com
          service_account_key: ${{ secrets.CONTAINER_ADMIN_NP_SA }}
          export_default_credentials: true
      - name: 'Cleanup untagged images in nonprod'
        run: gcloud container images list-tags gcr.io/myProject/myApp --filter='-tags:*' --format="get(digest)" --limit=10 > tags && while read p; do gcloud container images delete "gcr.io/myProject/myApp@$p" --quiet; done < tags
Jake Nelson
  • 1,748
  • 13
  • 22
  • great answer! I have 80 containers without tags, so the script can't find the containers. Can you help with a same kind of script where I first can tag all the container-entries with a tag, e.g. "READYTODELETE"? Thanks – Johan Walhout Nov 12 '21 at 09:59
0
PROJECT="project"
REGISTRY="registry"

while true; do
  echo "\n"
  DIGEST=$(gcloud container images list-tags gcr.io/$PROJECT/$REGISTRY --format="get(digest)" --limit 1)
  if [ "$DIGEST" = "" ]; then
    break;
  fi  
  gcloud container images delete gcr.io/$PROJECT/$REGISTRY@$DIGEST --force-delete-tags --quiet
done
Prashant
  • 11
  • 2