Page MenuHomePhabricator

Remove obsoleted docker images
Open, MediumPublic

Description

We still serve some obsoleted, unmaintained docker images in our registry. This is wrong and potentially exposes users of those to unpatched vulnerabilities.

We should sunset and remove all such images.

To this end we need a simple cli tool to remove images (and specific tags) from the registry. -> https://wikitech.wikimedia.org/wiki/Docker#Deleting_an_image_(from_registry)

We will then need to list and confirm removal of such images in this task.

Event Timeline

Joe created this task.Jan 13 2020, 1:32 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 13 2020, 1:32 PM

Change 563482 had a related patch set uploaded (by Giuseppe Lavagetto; owner: Giuseppe Lavagetto):
[operations/docker-images/docker-report@master] Add a registryctl command-line utility

https://gerrit.wikimedia.org/r/563482

MoritzMuehlenhoff triaged this task as Medium priority.Jan 14 2020, 9:10 AM

Change 563482 merged by jenkins-bot:
[operations/docker-images/docker-report@master] Add a registryctl command-line utility

https://gerrit.wikimedia.org/r/563482

Mentioned in SAL (#wikimedia-operations) [2020-01-14T17:21:36Z] <_joe_> upload docker-report 0.0.2 to {buster,stretch}-wikimedia T242604

brennen moved this task from Backlog to Watching on the User-brennen board.

Unfortunately removing all tags of an image (e.g. repository) does not remove the repository itself from the registry[1][2]. What that means is that the "image" will still be listed in the catalog (GET /v2/_catalog).

In addition the swift storage backend does not handle this situation very well, leading the registry to respond with a 404 to requests for the tag list of a "deleted image":

HTTP/1.1 404 Not Found
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Date: Wed, 01 Jul 2020 13:33:48 GMT
Content-Length: 113

{"errors":[{"code":"NAME_UNKNOWN","message":"repository name not known to registry","detail":{"name":"baaar"}}]}

The local file storage returns empty tags in that case:

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Date: Wed, 01 Jul 2020 13:24:06 GMT
Content-Length: 29

{"name":"baaar","tags":null}

[1]https://github.com/docker/distribution/issues/2434
[2]https://github.com/docker/distribution/issues/2747

JMeybohm updated the task description. (Show Details)Jul 1 2020, 2:34 PM

Change 608889 had a related patch set uploaded (by Giuseppe Lavagetto; owner: Giuseppe Lavagetto):
[operations/docker-images/docker-report@master] Handle cases of repositories with no tags

https://gerrit.wikimedia.org/r/c/operations/docker-images/docker-report/ /608889

Change 608889 merged by jenkins-bot:
[operations/docker-images/docker-report@master] Handle cases of repositories with no tags

https://gerrit.wikimedia.org/r/c/operations/docker-images/docker-report/ /608889

Mentioned in SAL (#wikimedia-operations) [2020-07-02T05:46:33Z] <_joe_> upload docker-report 0.0.4 on buster-wikimedia T242604

Joe added a comment.Jul 2 2020, 5:54 AM

Docker-report can now support such cases, and I removed the tags for that repository.

jijiki moved this task from Incoming 🐫 to Unsorted on the serviceops board.Aug 17 2020, 11:46 PM