-
Notifications
You must be signed in to change notification settings - Fork 33
/
Copy pathdocker-registry-cleanup.py
206 lines (184 loc) · 7.29 KB
/
docker-registry-cleanup.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
import glob
import urllib3
from requests.auth import HTTPBasicAuth
import requests
import json
import re
import os
import boto
from boto.s3.key import Key
############################
######## Functions #########
############################
def exit_with_error(message):
print(message)
print("Exiting")
exit(1)
# Initial setup
try:
if "DRY_RUN" in os.environ and os.environ['DRY_RUN'] == "true":
dry_run_mode = True
print("Running in dry-run mode. No changes will be made.")
print()
else:
dry_run_mode = False
if "REGISTRY_STORAGE" in os.environ and os.environ['REGISTRY_STORAGE'] == "S3":
print("Running against S3 storage")
storage_on_s3 = True
s3_access_key = os.environ['ACCESS_KEY']
s3_secret_key = os.environ['SECRET_KEY']
s3_bucket = os.environ['BUCKET']
s3_region = os.environ['REGION']
if "REGISTRY_DIR" in os.environ:
registry_dir = os.environ['REGISTRY_DIR']
else:
registry_dir = "/"
else:
print("Running against local storage")
storage_on_s3 = False
if "REGISTRY_DIR" in os.environ:
registry_dir = os.environ['REGISTRY_DIR']
else:
registry_dir = "/registry"
registry_url = os.environ['REGISTRY_URL']
except KeyError as e:
exit_with_error("Missing environment variable: %s" % (e))
# Optional vars
if "REGISTRY_AUTH" in os.environ:
registry_auth = HTTPBasicAuth(os.environ["REGISTRY_AUTH"].split(":")[0], os.environ["REGISTRY_AUTH"].split(":")[1])
else:
registry_auth = {}
if "SELF_SIGNED_CERT" in os.environ:
cert_verify = False
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
else:
cert_verify = True
token_authentication = False
token_auth_details = {}
# Check connection to registry
try:
r = requests.get("%s/v2/" % (registry_url), auth=registry_auth, verify=cert_verify)
if r.status_code == 401:
if "Www-Authenticate" in r.headers and "Bearer" in r.headers["Www-Authenticate"]:
#We have token based auth, try it
auth_header = r.headers["Www-Authenticate"].split(" ")[1]
token_authentication = True
token_auth_details = dict(s.split("=", 1) for s in re.sub('"',"",auth_header).split(","))
r2 = requests.get("%s?service=%s&scope=" % (token_auth_details["realm"],token_auth_details["service"]), auth=registry_auth, verify=cert_verify)
if r2.status_code == 401:
exit_with_error("Got an authentication error connecting to the registry - even with token authentication. Check credentials, or add REGISTRY_AUTH='username:password'")
else:
auth_token = r2.json()["token"]
registry_headers = {"Authorization": "Bearer %s" % (auth_token)}
else:
exit_with_error("Got an authentication error connecting to the registry. Check credentials, or add REGISTRY_AUTH='username:password'")
except requests.exceptions.SSLError as e:
exit_with_error("Got an SSLError connecting to the registry. Might be a self signed cert, please set SELF_SIGNED_CERT=true")
except requests.exceptions.RequestException as e:
exit_with_error("Could not contact registry at %s - error: %s" % (registry_url, e))
# Set variables
repo_dir = registry_dir + "/docker/registry/v2/repositories"
blob_dir = registry_dir + "/docker/registry/v2/blobs"
all_manifests = set()
linked_manifests = set()
linked_manifest_files = set()
file_list = set()
if storage_on_s3:
bucket_size = 0
# Connect to bucket
conn = boto.s3.connect_to_region(s3_region, aws_access_key_id=s3_access_key, aws_secret_access_key=s3_secret_key)
bucket = conn.get_bucket(s3_bucket)
s3_file_list = bucket.list()
#get all the filenames in bucket as well as size
for key in s3_file_list:
bucket_size += key.size
file_list.add(key.name)
else:
#local storage
for filename in glob.iglob("%s/**" % (registry_dir), recursive=True):
if os.path.isfile(filename):
file_list.add(filename)
for filename in file_list:
if filename.endswith("link"):
if "_manifests/revisions/sha256" in filename:
all_manifests.add(re.sub('.*docker/registry/v2/repositories/.*/_manifests/revisions/sha256/(.*)/link','\\1',filename))
elif "_manifests/tags/" in filename and filename.endswith("/current/link"):
linked_manifest_files.add(filename)
#fetch linked_manifest_files
for filename in linked_manifest_files:
error = False
if storage_on_s3:
k = Key(bucket)
k.key = filename
#Get the shasum from the link file
shasum = k.get_contents_as_string().decode().split(":")[1]
#Get the manifest json to check if its a manifest list
k.key = "%s/sha256/%s/%s/data" % (blob_dir, shasum[0:2], shasum)
try:
manifest = json.loads(k.get_contents_as_string().decode())
except Exception as e:
error = True
print("Caught error trying to read manifest, ignoring.")
else:
shasum = open(filename, 'r').read().split(":")[1]
try:
manifest = json.loads(open("%s/sha256/%s/%s/data" % (blob_dir, shasum[0:2], shasum)).read())
except Exception as e:
error = True
print("Caught error trying to read manifest, ignoring.")
if error:
linked_manifests.add(shasum)
else:
manifest_media_type = manifest["mediaType"]
if manifest_media_type == "application/vnd.docker.distribution.manifest.list.v2+json":
#add all manifests from manifest list
for mf in manifest["manifests"]:
linked_manifests.add(mf["digest"])
else:
linked_manifests.add(shasum)
unused_manifests = all_manifests - linked_manifests
if len(unused_manifests) == 0:
print("No manifests without tags found. Nothing to do.")
if storage_on_s3:
print("For reference, the size of the bucket is currently: %s bytes" % (bucket_size))
else:
print("Found " + str(len(unused_manifests)) + " manifests without tags. Deleting")
#counters
current_count = 0
cleaned_count = 0
failed_count = 0
total_count = len(unused_manifests)
for manifest in unused_manifests:
current_count += 1
status_msg = "Cleaning %s of %s" % (current_count, total_count)
if "DRY_RUN" in os.environ and os.environ['DRY_RUN'] == "true":
status_msg += " ..not really, due to dry-run mode"
print(status_msg)
#get repos
repos = set()
for file in file_list:
if "_manifests/revisions/sha256/%s" % (manifest) in file and file.endswith("link"):
repos.add(re.sub(".*docker/registry/v2/repositories/(.*)/_manifests/revisions/sha256.*", "\\1", file))
for repo in repos:
if dry_run_mode:
print("DRY_RUN: Would have run an HTTP DELETE request to %s/v2/%s/manifests/sha256:%s" % (registry_url, repo, manifest))
else:
if token_authentication:
r2 = requests.get("%s?service=%s&scope=repository:%s:*" % (token_auth_details["realm"],token_auth_details["service"],repo), auth=registry_auth, verify=cert_verify)
auth_token = r2.json()["token"]
registry_headers = {"Authorization": "Bearer %s" % (auth_token)}
r = requests.delete("%s/v2/%s/manifests/sha256:%s" % (registry_url, repo, manifest), verify=cert_verify, headers=registry_headers)
else:
r = requests.delete("%s/v2/%s/manifests/sha256:%s" % (registry_url, repo, manifest), auth=registry_auth, verify=cert_verify)
if r.status_code == 202:
cleaned_count += 1
else:
failed_count += 1
print("Failed to clean manifest %s from repo %s with response code %s" % (manifest, repo, r.status_code))
print("Job done, Cleaned %s of %s manifests." % (cleaned_count, total_count))
print()
print()
if storage_on_s3:
print("For reference, the size of the bucket before this run was: %s bytes" % (bucket_size))
print()
print("Please run a garbage-collect on the registry now to free up disk space.")