Are tag-less container images deleted? #26716
-
I’ve been trying out the GHCR with a very simple container, including build on Actions. So far I have the build always push to the Is this intentional? I’m not complaining about the behavior, I just want to know if I can rely on it to e.g. push a |
Beta Was this translation helpful? Give feedback.
Replies: 14 comments 6 replies
-
There should be an untagged version left behind assuming the new build is different. If there was no difference then you’d see this behaviour. We’re not deleting tag-less containers, they stick around until you delete them. |
Beta Was this translation helpful? Give feedback.
-
Thanks for the explanation! Content-wise the containers are identical, just different labels, so I suppose that explains it. 🙂 In that case I will have to look into cleanup for nightly builds and the like. |
Beta Was this translation helpful? Give feedback.
-
I experimented with this a bit more and confirmed that tag-less images are still accessible if you have the digest. However, there seems to be no way to discover them: They don’t show up on the Github package page (only tagged versions there), and the Docker HTTP API V2 documentation doesn’t mention any way to find them either. Is there any other way I’m missing? |
Beta Was this translation helpful? Give feedback.
-
Can you take a look at the versions page? This is part of the settings page. I thought it had all the versions available and you could click into them. Build software better, togetherGitHub is where people build software. More than 50 million people use GitHub to discover, fork, and contribute to over 100 million projects. |
Beta Was this translation helpful? Give feedback.
-
Evidently it shows only tagged versions. Two digests I still have saved for that image, both formerly tagged
I just tested that I can still pull the images using those digests (yes), but they don’t show up on the versions page, or anywhere else that I’m aware of. |
Beta Was this translation helpful? Give feedback.
-
airtower-luna:
This is also how it works on Docker Hub. How would you want the un-tagged images to appear? Would you want to see the tags the image was previous tagged with? |
Beta Was this translation helpful? Give feedback.
-
jcansdale:
Preferably listed via an API call (rationale below), although on the versions page (maybe behind an “show untagged images” button or something) would be nice.
jcansdale:
Can’t hurt, but I’d be more interested in the timestamp of when the image was pushed. What I’m thinking of is cleaning up images that aren’t needed after a while, e.g.:
The latter would accumulate in the order of gigabytes pretty quickly, and would hardly be useful for anyone else in old versions, so I’d like to clean up after myself. Basically a sort of As long as packages storage is free for open source projects it would not hurt me to leave them around, but for people with private images it could quickly become a billing issue. And evidently it became an issue for Docker Hub, too, given their recent announcement to delete unused images on free accounts after 6 months (that’d do the trick for me, too, but maybe not for people who need to pay for storage). That post also says:
I haven’t seen any specifics on that yet, but to me it sound like “tools to help you clean up”, so a compatible API on GHCR might be a thing to consider. |
Beta Was this translation helpful? Give feedback.
-
@airtower-luna thanks for the link to the announcement.
Wow, this is some pretty agressive cleanup of tagged images!
For untagged images this seems pretty reasonable.
So you’d want to know when they were pushed, whether they’re tagged and maybe when they where last downloaded? |
Beta Was this translation helpful? Give feedback.
-
jcansdale:
Yes, exactly. I guess the most flexible solution would be to include a list of tags for the image, if any. With that information I could easily set up e.g. a scheduled Actions workflow to clean up old images that are either untagged or tagged in a certain way. 🙂 And I agree that the Docker Hub policy is rather aggressive for tagged images, in principle I’d like to keep release versions around indefinitely. On the other hand depending on the image content I might worry about people using such an old image anyway, at least without vulnerability scanning (which I’d really like to see in GHCR, but that’s a separate thing). I wouldn’t want to keep track of which of the included libraries might have gotten security patches in the last half year, and whether any of the issues might be exploitable in the context of the image. 😅 |
Beta Was this translation helpful? Give feedback.
-
I’ve written the kind of cleanup script I was thinking of here using the new packages delete/restore API. 🙂 github.comairtower-luna/hello-ghcr/blob/e17ebc574711f4bcf85f8bd6b2380e226901778d/ghcr-prune.py#L76-L85
|
Beta Was this translation helpful? Give feedback.
-
Hi @airtower-luna,
I had a similar thought. 😃 Here’s a GitHub Action script that can be used to delete untagged images for a specified container package:
If anyone tries this, please let me know if you have any problems running the script! |
Beta Was this translation helpful? Give feedback.
-
Just want to clarify that |
Beta Was this translation helpful? Give feedback.
-
ain-soph:
Sorry about that! I forgot and fell into this trap as well. 😊 |
Beta Was this translation helpful? Give feedback.
-
Hi, there. Thank you for your script. It is working as intended. However, if you build a multi-arch image with @latest tag looks like only one arch will be tagged which means the container of rest arch will be deleted. Could you tell me you have a solution for this case please? |
Beta Was this translation helpful? Give feedback.
There should be an untagged version left behind assuming the new build is different. If there was no difference then you’d see this behaviour. We’re not deleting tag-less containers, they stick around until you delete them.