自动清除 Azure 容器注册表中的映像Automatically purge images from an Azure container registry

在开发工作流中使用 Azure 容器注册表时,注册表中可能很快会填满在一小段时间后不需要的映像或其他项目。When you use an Azure container registry as part of a development workflow, the registry can quickly fill up with images or other artifacts that aren't needed after a short period. 你可能会想删除早于某一特定持续时间或与指定名称筛选器匹配的所有标记。You might want to delete all tags that are older than a certain duration or match a specified name filter. 为帮助你快速删除多个项目,本文介绍了 acr purge 命令,可以将其作为按需或计划的 ACR 任务来运行。To delete multiple artifacts quickly, this article introduces the acr purge command you can run as an on-demand or scheduled ACR Task.

acr purge 命令当前在公共容器映像 (mcr.microsoft.com/acr/acr-cli:0.2) 中分发,该映像通过 GitHub 中 acr-cli 存储库中的源代码生成。The acr purge command is currently distributed in a public container image (mcr.microsoft.com/acr/acr-cli:0.2), built from source code in the acr-cli repo in GitHub.

可以使用本地安装的 Azure CLI 来运行本文中的 ACR 任务示例。You can use a local installation of the Azure CLI to run the ACR task examples in this article. 如果想要在本地使用它,则需要使用 2.0.76 版或更高版本。If you'd like to use it locally, version 2.0.76 or later is required. 运行 az --version 即可查找版本。Run az --version to find the version. 如果需要进行安装或升级,请参阅安装 Azure CLIIf you need to install or upgrade, see Install Azure CLI.

重要

此功能目前处于预览状态。This feature is currently in preview. 需同意补充使用条款才可使用预览版。Previews are made available to you on the condition that you agree to the supplemental terms of use. 在正式版 (GA) 推出之前,此功能的某些方面可能会有所更改。Some aspects of this feature may change prior to general availability (GA).

警告

请谨慎使用 acr purge 命令,已删除映像数据是无法恢复的。Use the acr purge command with caution--deleted image data is UNRECOVERABLE. 如果系统按清单摘要(而不是映像名称)拉取映像,则不应清除未标记的映像。If you have systems that pull images by manifest digest (as opposed to image name), you should not purge untagged images. 删除无标的记映像后,这些系统即无法从注册表拉取映像。Deleting untagged images will prevent those systems from pulling the images from your registry. 不按清单拉取,而是考虑采用建议的最佳做法,即唯一标记方案。Instead of pulling by manifest, consider adopting a unique tagging scheme, a recommended best practice.

如果想使用 Azure CLI 命令删除单个映像标记或清单,请参阅删除 Azure 容器注册表中的容器映像If you want to delete single image tags or manifests using Azure CLI commands, see Delete container images in Azure Container Registry.

使用清除命令Use the purge command

acr purge 容器命令按标记删除存储库中与名称筛选器匹配和早于指定持续时间的映像。The acr purge container command deletes images by tag in a repository that match a name filter and that are older than a specified duration. 默认情况下,仅删除标记引用,而不会删除基础清单和层数据。By default, only tag references are deleted, not the underlying manifests and layer data. 该命令还提供删除清单的选项。The command has an option to also delete manifests.

备注

acr purge 不会删除 write-enabled 属性设置为 false 的映像标记或存储库。acr purge does not delete an image tag or repository where the write-enabled attribute is set to false. 有关信息,请参阅锁定 Azure 容器注册表中的容器映像For information, see Lock a container image in an Azure container registry.

acr purge 旨在作为 ACR 任务中的容器命令运行,以便对运行任务的注册表自动进行身份验证,并在其中执行操作。acr purge is designed to run as a container command in an ACR Task, so that it authenticates automatically with the registry where the task runs and performs actions there. 本文中的任务示例使用 acr purge 命令别名替代完全限定的容器映像命令。The task examples in this article use the acr purge command alias in place of a fully qualified container image command.

运行 acr purge 时,请至少指定以下内容:At a minimum, specify the following when you run acr purge:

  • --filter - 一个存储库和用于筛选存储库中标记的正则表达式。--filter - A repository and a regular expression to filter tags in the repository. 示例:--filter "hello-world:.*" 匹配 hello-world 存储库中的所有标记,而 --filter "hello-world:^1.*" 匹配以 1 开头的标记。Examples: --filter "hello-world:.*" matches all tags in the hello-world repository, and --filter "hello-world:^1.*" matches tags beginning with 1. 传递多个 --filter 参数以清除多个存储库。Pass multiple --filter parameters to purge multiple repositories.
  • --ago - 一个 Go 风格的持续时间字符串,用于指示超过多长时间即删除映像。--ago - A Go-style duration string to indicate a duration beyond which images are deleted. 该持续时间由一个或多个十进制数字序列组成,每个数字都有一个单位后缀。The duration consists of a sequence of one or more decimal numbers, each with a unit suffix. 有效的时间单位包括“d”(表示天数)、“h”(表示小时数)和“m”(表示分钟数)。Valid time units include "d" for days, "h" for hours, and "m" for minutes. 例如,--ago 2d3h6m 选择上次修改时间早于 2 天 3 小时 6 分钟之前的所有已筛选的映像,--ago 1.5h 选择上次修改时间早于 1.5 小时之前的映像。For example, --ago 2d3h6m selects all filtered images last modified more than 2 days, 3 hours, and 6 minutes ago, and --ago 1.5h selects images last modified more than 1.5 hours ago.

acr purge 支持几个可选参数。acr purge supports several optional parameters. 本文中的示例使用了以下两个参数:The following two are used in examples in this article:

  • --untagged - 指定删除没有相关标记的清单(未标记的清单)。--untagged - Specifies that manifests that don't have associated tags (untagged manifests) are deleted.
  • --dry-run - 指定不删除任何数据,但其输出与在没有此标志的情况下运行此命令时的输出相同。--dry-run - Specifies that no data is deleted, but the output is the same as if the command is run without this flag. 此参数有助于测试清除命令,确保它不会无意中删除要保留的数据。This parameter is useful for testing a purge command to make sure it does not inadvertently delete data you intend to preserve.

对于其他参数,请运行 acr purge --helpFor additional parameters, run acr purge --help.

acr purge 支持 ACR 任务命令的其他功能,包括经过流式处理并保存以供以后检索的运行变量任务运行日志acr purge supports other features of ACR Tasks commands including run variables and task run logs that are streamed and also saved for later retrieval.

在按需任务中运行Run in an on-demand task

以下示例使用 az acr run 命令按需运行 acr purge 命令。The following example uses the az acr run command to run the acr purge command on-demand. 此示例将删除修改时间早于 1 天前的 myregistry 中的 hello-world 存储库中的所有映像标记和清单。This example deletes all image tags and manifests in the hello-world repository in myregistry that were modified more than 1 day ago. 使用环境变量传递容器命令。The container command is passed using an environment variable. 任务在没有源上下文的情况下运行。The task runs without a source context.

# Environment variable for container command line
PURGE_CMD="acr purge --filter 'hello-world:.*' \
  --untagged --ago 1d"

az acr run \
  --cmd "$PURGE_CMD" \
  --registry myregistry \
  /dev/null

在计划的任务中运行Run in a scheduled task

以下示例使用 az acr task create 命令创建每日运行的计划的 ACR 任务The following example uses the az acr task create command to create a daily scheduled ACR task. 此任务清除 hello-world 存储库中早于 7 天前修改的标记。The task purges tags modified more than 7 days ago in the hello-world repository. 使用环境变量传递容器命令。The container command is passed using an environment variable. 任务在没有源上下文的情况下运行。The task runs without a source context.

# Environment variable for container command line
PURGE_CMD="acr purge --filter 'hello-world:.*' \
  --ago 7d"

az acr task create --name purgeTask \
  --cmd "$PURGE_CMD" \
  --schedule "0 0 * * *" \
  --registry myregistry \
  --context /dev/null

运行 az acr task show 命令,查看是否已配置计时器触发器。Run the az acr task show command to see that the timer trigger is configured.

清除大量标记和清单Purge large numbers of tags and manifests

清除大量标记和清单可能需要几分钟或更长时间。Purging a large number of tags and manifests could take several minutes or longer. 若要清除数千个标记和清单,命令需要运行的时间可能会比按需任务的默认超时时间 600 秒或计划的任务的默认超时时间 3600 秒要长。To purge thousands of tags and manifests, the command might need to run longer than the default timeout time of 600 seconds for an on-demand task, or 3600 seconds for a scheduled task. 如果超过超时时间,则仅会删除部分标记和清单。If the timeout time is exceeded, only a subset of tags and manifests are deleted. 若要确保完成大规模清除操作,请传递 --timeout 参数以增加此值。To ensure that a large-scale purge is complete, pass the --timeout parameter to increase the value.

例如,以下按需任务将超时时间设置为 3600 秒(1 小时):For example, the following on-demand task sets a timeout time of 3600 seconds (1 hour):

# Environment variable for container command line
PURGE_CMD="acr purge --filter 'hello-world:.*' \
  --ago 1d --untagged"

az acr run \
  --cmd "$PURGE_CMD" \
  --registry myregistry \
  --timeout 3600 \
  /dev/null

示例:计划清除注册表中的多个存储库Example: Scheduled purge of multiple repositories in a registry

此示例演示如何使用 acr purge 定期清除注册表中的多个存储库。This example walks through using acr purge to periodically clean up multiple repositories in a registry. 例如,你可能有一个将映像推送到 samples/devimage1samples/devimage2 存储库的开发管道。For example, you might have a development pipeline that pushes images to the samples/devimage1 and samples/devimage2 repositories. 你定期将开发映像导入到部署的生产存储库,因此不再需要开发映像。You periodically import development images into a production repository for your deployments, so you no longer need the development images. 你会每周清除 samples/devimage1samples/devimage2 存储库,以便为未来一周的工作做好准备。On a weekly basis, you purge the samples/devimage1 and samples/devimage2 repositories, in preparation for the coming week's work.

预览清除Preview the purge

在删除数据之前,我们建议使用 --dry-run 参数运行按需清除任务。Before deleting data, we recommend running an on-demand purge task using the --dry-run parameter. 通过此选项,可以查看命令将清除的标记和清单,而不会删除任何数据。This option allows you to see the tags and manifests that the command will purge, without removing any data.

在以下示例中,每个存储库中的筛选器都会选择所有标记。In the following example, the filter in each repository selects all tags. --ago 0d 参数与存储库中与筛选器匹配的所有年龄的映像匹配。The --ago 0d parameter matches images of all ages in the repositories that match the filters. 根据方案的需要修改选择条件。Modify the selection criteria as needed for your scenario. --untagged 参数指示除了删除标记之外还要删除清单。The --untagged parameter indicates to delete manifests in addition to tags. 使用环境变量将容器命令传递到 az acr run 命令。The container command is passed to the az acr run command using an environment variable.

# Environment variable for container command line
PURGE_CMD="acr purge \
  --filter 'samples/devimage1:.*' --filter 'samples/devimage2:.*' \
  --ago 0d --untagged --dry-run"

az acr run \
  --cmd "$PURGE_CMD" \
  --registry myregistry \
  /dev/null

查看命令输出,以查看与选择参数匹配的标记和清单。Review the command output to see the tags and manifests that match the selection parameters. 由于命令通过 --dry-run 运行,因此不会删除任何数据。Because the command is run with --dry-run, no data is deleted.

示例输出:Sample output:

[...]
Deleting tags for repository: samples/devimage1
myregistry.azurecr.cn/samples/devimage1:232889b
myregistry.azurecr.cn/samples/devimage1:a21776a
Deleting manifests for repository: samples/devimage1
myregistry.azurecr.cn/samples/devimage1@sha256:81b6f9c92844bbbb5d0a101b22f7c2a7949e40f8ea90c8b3bc396879d95e788b
myregistry.azurecr.cn/samples/devimage1@sha256:3ded859790e68bd02791a972ab0bae727231dc8746f233a7949e40f8ea90c8b3
Deleting tags for repository: samples/devimage2
myregistry.azurecr.cn/samples/devimage2:5e788ba
myregistry.azurecr.cn/samples/devimage2:f336b7c
Deleting manifests for repository: samples/devimage2
myregistry.azurecr.cn/samples/devimage2@sha256:8d2527cde610e1715ad095cb12bc7ed169b60c495e5428eefdf336b7cb7c0371
myregistry.azurecr.cn/samples/devimage2@sha256:ca86b078f89607bc03ded859790e68bd02791a972ab0bae727231dc8746f233a

Number of deleted tags: 4
Number of deleted manifests: 4
[...]

安排清除计划Schedule the purge

验证 dry run 后,创建一个计划的任务以自动执行清除。After you've verified the dry run, create a scheduled task to automate the purge. 以下示例安排了一个在每周日 UTC 1:00 运行的每周任务,通过它运行之前的清除命令:The following example schedules a weekly task on Sunday at 1:00 UTC to run the previous purge command:

# Environment variable for container command line
PURGE_CMD="acr purge \
  --filter 'samples/devimage1:.*' --filter 'samples/devimage2:.*' \
  --ago 0d --untagged"

az acr task create --name weeklyPurgeTask \
  --cmd "$PURGE_CMD" \
  --schedule "0 1 * * Sun" \
  --registry myregistry \
  --context /dev/null

运行 az acr task show 命令,查看是否已配置计时器触发器。Run the az acr task show command to see that the timer trigger is configured.

后续步骤Next steps

了解用于在 Azure 容器注册表中删除映像数据的其他选项。Learn about other options to delete image data in Azure Container Registry.

有关映像存储的详细信息,请参阅 Azure 容器注册表中的容器映像存储For more information about image storage, see Container image storage in Azure Container Registry.