2

Running the registry:2 image via docker-compose 1.27.4, docker itself is at 19.03.13.

The registry is configured as a "pull through cache", also referred to as "proxy" or "mirror" by some. The setup is very basic and follows the official documentation:

version: 0.1
log:
  fields:
    service: registry
storage:
  cache:
    blobdescriptor: inmemory
  filesystem:
    rootdirectory: /var/lib/registry
  delete:
    enabled: true
http:
  addr: :5000
  headers:
    X-Content-Type-Options: [nosniff]
health:
  storagedriver:
    enabled: true
    interval: 10s
    threshold: 3
proxy:
  remoteurl: https://registry-1.docker.io

When using the standard procedures to delete an image on this registry via the API...

  1. find tag name

    export HEADER="Accept: application/vnd.docker.distribution.manifest.v2+json"
curl -s -H $HEADER https://<HOST>/v2/<CATALOG>/tags/list

  2. find corresponding SHA

    curl -sI -k -H $HEADER https://<HOST>/v2/<CATALOG>/manifests/<TAG>

  3. delete via SHA

    curl -H $HEADER -X DELETE https://<HOST>/v2/<CATALOG>/manifests/<SHA>

...I get a 404 for the last command:

404 page not found

When I do the same with the proxy bit commented out in the registry configuration, it works.

This feels eerily familiar to not being able to push against such a "pull through cache" registry, which, to be fair, is documented. This use case isn't - or is it?

zb226
  • 9,586
  • 6
  • 49
  • 79
  • I'm curious what the use case is for running a delete against the cache? Are you trying to save space on the cache, flush a stale entry, or want to delete the image from the upstream registry? – BMitch Nov 23 '20 at 16:05

1 Answers1

5

The pull through cache functionality of the registry:2 image is designed for exactly that, pulling. Any other actions, like push or delete, aren't supported and are expected to give errors. To delete the manifest at the source, you'll want to run the delete command against that registry. I don't believe there's any API to prematurely remove a manifest from only the cache, it's a fixed 7 day expiration time.

BMitch
  • 231,797
  • 42
  • 475
  • 450
  • Thanks for answering, to answer your question above: My concrete use case is being able to remove certain images that went in there by accident. If I understand correctly, I'm not supposed to do that, but let the registry fix itself by weeding out stale images? In my example that would mean ensuring nobody pulls these unwanted images for 7 days? – zb226 Nov 23 '20 at 16:17
  • 1
    @zb226 I believe it's 7 days regardless of whether it's been pulled. Only option I know of to clean out the cache manually is to restart with the storage/volume reset. It will automatically repopulate as images get pulled through. – BMitch Nov 23 '20 at 17:38
  • From freshly acquired own experience: you're right with the unconditional 7 days. It's a bit sad that these informations aren't officially documented (besides the sources). Well, now at least we have this SO answer for people to google for. Thanks again. – zb226 Nov 24 '20 at 11:40