Page MenuHomePhabricator
Create Task
Maniphest T242604

Remove obsoleted docker images
Open, MediumPublic
Actions

Description

We still serve some obsoleted, unmaintained docker images in our registry. This is wrong and potentially exposes users of those to unpatched vulnerabilities.

We should sunset and remove all such images.

To this end we need a simple cli tool to remove images (and specific tags) from the registry. -> https://wikitech.wikimedia.org/wiki/Docker-registry

We will then need to list and confirm removal of such images in this task.

Details

SubjectRepoBranchLines +/-
Handle cases of repositories with no tagsoperations/docker-images/docker-reportmaster+36 -0
Add a registryctl command-line utilityoperations/docker-images/docker-reportmaster+756 -194
Customize query in gerrit

Related Objects

Event Timeline

Joe created this task.Jan 13 2020, 1:32 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJan 13 2020, 1:32 PM
gerritbot added a comment.Jan 13 2020, 1:52 PM

Change 563482 had a related patch set uploaded (by Giuseppe Lavagetto; owner: Giuseppe Lavagetto):
[operations/docker-images/docker-report@master] Add a registryctl command-line utility

https://gerrit.wikimedia.org/r/563482

gerritbot added a project: Patch-For-Review.Jan 13 2020, 1:52 PM
MoritzMuehlenhoff subscribed.Jan 13 2020, 4:22 PM
Jdforrester-WMF awarded a token.Jan 13 2020, 4:29 PM
MoritzMuehlenhoff triaged this task as Medium priority.Jan 14 2020, 9:10 AM
thcipriani merged a task: T234691: Garbage-collect development (and other?) images from Docker registry as appropriate.Jan 14 2020, 4:42 PM
thcipriani added subscribers: brennen, akosiaris, dduvall and 3 others.
gerritbot added a comment.Jan 14 2020, 5:05 PM

Change 563482 merged by jenkins-bot:
[operations/docker-images/docker-report@master] Add a registryctl command-line utility

https://gerrit.wikimedia.org/r/563482

Maintenance_bot removed a project: Patch-For-Review.Jan 14 2020, 5:10 PM
Stashbot added a comment.Jan 14 2020, 5:21 PM

Mentioned in SAL (#wikimedia-operations) [2020-01-14T17:21:36Z] <_joe_> upload docker-report 0.0.2 to {buster,stretch}-wikimedia T242604

brennen added a project: User-brennen.Jan 15 2020, 6:22 PM
brennen moved this task from Backlog to Radar on the User-brennen board.
JMeybohm subscribed.Jul 1 2020, 2:06 PM

Unfortunately removing all tags of an image (e.g. repository) does not remove the repository itself from the registry[1][2]. What that means is that the "image" will still be listed in the catalog (GET /v2/_catalog).

In addition the swift storage backend does not handle this situation very well, leading the registry to respond with a 404 to requests for the tag list of a "deleted image":

HTTP/1.1 404 Not Found
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Date: Wed, 01 Jul 2020 13:33:48 GMT
Content-Length: 113

{"errors":[{"code":"NAME_UNKNOWN","message":"repository name not known to registry","detail":{"name":"baaar"}}]}

The local file storage returns empty tags in that case:

HTTP/1.1 200 OK
Content-Type: application/json; charset=utf-8
Docker-Distribution-Api-Version: registry/2.0
X-Content-Type-Options: nosniff
Date: Wed, 01 Jul 2020 13:24:06 GMT
Content-Length: 29

{"name":"baaar","tags":null}

[1]https://github.com/docker/distribution/issues/2434
[2]https://github.com/docker/distribution/issues/2747

JMeybohm updated the task description. (Show Details)Jul 1 2020, 2:34 PM
gerritbot added a comment.Jul 1 2020, 3:11 PM

Change 608889 had a related patch set uploaded (by Giuseppe Lavagetto; owner: Giuseppe Lavagetto):
[operations/docker-images/docker-report@master] Handle cases of repositories with no tags

https://gerrit.wikimedia.org/r/c/operations/docker-images/docker-report/ /608889

gerritbot added a project: Patch-For-Review.Jul 1 2020, 3:11 PM
gerritbot added a comment.Jul 1 2020, 3:14 PM

Change 608889 merged by jenkins-bot:
[operations/docker-images/docker-report@master] Handle cases of repositories with no tags

https://gerrit.wikimedia.org/r/c/operations/docker-images/docker-report/ /608889

Stashbot added a comment.Jul 2 2020, 5:46 AM

Mentioned in SAL (#wikimedia-operations) [2020-07-02T05:46:33Z] <_joe_> upload docker-report 0.0.4 on buster-wikimedia T242604

Joe added a comment.Jul 2 2020, 5:54 AM

Docker-report can now support such cases, and I removed the tags for that repository.

JMeybohm mentioned this in T253396: Upgrade all TLS enabled charts to v0.2 tls_helper.Jul 2 2020, 8:18 AM
akosiaris awarded a token.Jul 2 2020, 8:38 AM
jijiki moved this task from Incoming 🐫 to 🔦Unused2 on the serviceops board.Aug 17 2020, 11:46 PM
akosiaris mentioned this in T263038: Dev images registry.Sep 24 2020, 10:00 AM
Ladsgroup subscribed.Sep 25 2020, 9:30 AM
JMeybohm mentioned this in T271381: "envoy-tls-local-proxy" image on docker-registry.wikimedia.org has no tags.Jan 7 2021, 8:48 AM
Maintenance_bot removed a project: Patch-For-Review.Jan 7 2021, 9:10 AM
JMeybohm merged a task: T271381: "envoy-tls-local-proxy" image on docker-registry.wikimedia.org has no tags.Jan 8 2021, 7:51 AM
JMeybohm added a subscriber: Legoktm.
JMeybohm added a project: Upstream.Jan 8 2021, 8:31 AM
thcipriani edited projects, added Release-Engineering-Team (Radar); removed Release-Engineering-Team.Apr 20 2021, 4:37 PM
thcipriani moved this task from Limbo to Watching/External on the Release-Engineering-Team (Radar) board.
JMeybohm updated the task description. (Show Details)Jun 7 2021, 3:46 PM
brennen mentioned this in T307537: Assess GitLab Container Registry as a default for container build processes.May 10 2022, 6:52 PM
akosiaris mentioned this in T307797: Clean-up / delete old versions of service pipeline created docker images from the public docker registry?.Sep 29 2022, 11:08 AM
bd808 subscribed.Sep 29 2022, 3:13 PM
jijiki moved this task from 🔦Unused2 to 🍦IceBox on the serviceops board.Nov 6 2022, 3:13 PM
Clement_Goubert subscribed.Feb 16 2024, 2:57 PM

Following this discussion on wikitech-l, marking for future deletion:
https://docker-registry.wikimedia.org/python3/tags/ superseded by python3-(buster|bullseye|bookworm)

akosiaris merged a task: T307797: Clean-up / delete old versions of service pipeline created docker images from the public docker registry?.Mar 8 2024, 12:51 PM
akosiaris added a subscriber: Jdforrester-WMF.
akosiaris mentioned this in T359067: Find an efficient strategy to add Pytorch and ROCm packages to our Docker images.Mar 8 2024, 1:17 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL