Problem
The standard task named "Docker - Delete unused manifests and images" has an intentional design restriction.
When the "Docker - Delete unused manifests and images" task (Docker.GC) runs, if a docker layer asset it finds also exists in any other Docker repository in the same repo instance, across all blobstores, that asset will not be deleted. The task log reports layers are retained due to "Found asset referenced in another repository".
The primary purpose of this design is to protect against accidentally deleting layers for an image spread across docker repositories in the same group repository hierarchy, commonly arranged that way due to use of the feature that allows deploying into a docker group repository an image that references layers from multiple members of that group repository.
A scenario may exist where a complete image and all its layers exist in repo A, but another repo B has one or more of those layers that can in theory be safe to cleanup.
In this scenario, a customer cannot normally perform the cleanup of those assets from repo B, even though after fully understanding the history of the instance there likely would not be negative impacts. The forced retention of these essentially unused layers may be contributing to significant storage and resource costs in certain scenarios.
Solution
As of Nexus Repository 3.62.0, a hidden scheduled task has been added that helps cleanup unused docker layers inside one repository that may also exist in other repositories in the same Nexus Repository 3 instance.
The task is called "Docker - Delete unused manifests and images (Skip cross-layers repository usage check)" and is hidden from Administrators ( not visible to create or run ) by default.
Task Restrictions
The task is intended to address a very specific circumstance and only at the advice of Sonatype Support in consultation with a customer. If used incorrectly or without careful or full considerations, unintended data loss and Docker build failures may result.
-
The task configuration will allow a specific repository to be specified to run against.
-
The task examines the specified repository docker assets and will delete any unused manifest and layers inside that repository. Unused means those manifest and layers that are no longer linked/referenced by a Docker tag inside of that repository only. Unlike the standard Docker GC task, this custom task does not check if the layer or manifest is being used in ANY other Docker repos.
-
As an added protection of accidental data loss, the task is not runnable if the configured repository is a member of a group repository that allows docker deployment.
-
The task includes a message in the UI stating its scope and limitations as well as a warning of potential data loss if used incorrectly.
How to Enable the Task
If you are a Sonatype customer, please contact Sonatype Support to learn if this task can help your use case.