Cannot delete image from Google Cloud Registry

[cfiderer]

Hi,

I am able to inspect my test image at GCR, but I cannot delete it:

> skopeo --debug delete docker://eu.gcr.io/sap-clm-ift/username/ji1516/com.sap.sl.cbpod/canary:1.0.0
time="2022-07-20T18:13:31+02:00" level=debug msg="Using registries.d directory /etc/containers/registries.d"
time="2022-07-20T18:13:31+02:00" level=debug msg="Loading registries configuration \"/etc/containers/registries.conf\""
time="2022-07-20T18:13:31+02:00" level=debug msg="No credentials matching eu.gcr.io/sap-clm-ift/username/ji1516/com.sap.sl.cbpod/canary found in C:\\Users\\username\\.config\\containers\\auth.json"
time="2022-07-20T18:13:31+02:00" level=debug msg="No credentials matching eu.gcr.io/sap-clm-ift/username/ji1516/com.sap.sl.cbpod/canary found in C:\\Users\\username\\.config\\containers\\auth.json"
time="2022-07-20T18:13:31+02:00" level=debug msg="Looking up in credential helper gcloud based on credHelpers entry in C:\\Users\\username\\.docker\\config.json"
time="2022-07-20T18:13:35+02:00" level=debug msg="Found credentials for eu.gcr.io/sap-clm-ift/username/ji1516/com.sap.sl.cbpod/canary in credential helper containers-auth.json in file C:\\Users\\username\\.docker\\config.json"
time="2022-07-20T18:13:35+02:00" level=debug msg=" No signature storage configuration found for eu.gcr.io/sap-clm-ift/username/ji1516/com.sap.sl.cbpod/canary:1.0.0, using built-in default file://C:%5CUsers%5Cusername%5C.local%5Cshare%5Ccontainers%5Csigstore"
time="2022-07-20T18:13:35+02:00" level=debug msg="Looking for TLS certificates and private keys in \\etc\\docker\\certs.d\\eu.gcr.io"
time="2022-07-20T18:13:35+02:00" level=debug msg="GET https://eu.gcr.io/v2/"
time="2022-07-20T18:13:36+02:00" level=debug msg="Ping https://eu.gcr.io/v2/ status 401"
time="2022-07-20T18:13:36+02:00" level=debug msg="GET https://eu.gcr.io/v2/token?account=_dcgcloud_token&scope=repository%3Asap-clm-ift%2Fusername%2Fji1516%2Fcom.sap.sl.cbpod%2Fcanary%3A%2A&service=eu.gcr.io"
time="2022-07-20T18:13:36+02:00" level=debug msg="GET https://eu.gcr.io/v2/sap-clm-ift/username/ji1516/com.sap.sl.cbpod/canary/manifests/1.0.0"
time="2022-07-20T18:13:36+02:00" level=debug msg="DELETE https://eu.gcr.io/v2/sap-clm-ift/username/ji1516/com.sap.sl.cbpod/canary/manifests/sha256:335b02d3eeae3e0837fced155de8b35e5a948fa68186a5424ff0f3f7724a0572"
time="2022-07-20T18:13:37+02:00" level=fatal msg="Failed to delete /v2/sap-clm-ift/username/ji1516/com.sap.sl.cbpod/canary/manifests/sha256:335b02d3eeae3e0837fced155de8b35e5a948fa68186a5424ff0f3f7724a0572: {\"errors\":[{\"code\":\"GOOGLE_MANIFEST_DANGLING_TAG\",\"message\":\"Manifest is still referenced by tag: 1.0.0\"}]} (400 Bad Request)"

Looking at the source code, it seems that the deleteImage() function (docker/docker_image_src.go) obtains the manifest and issues a DELETE request for the digest - but it does not issue a DELETE request for the tag.

Is it possible to check whether the reference is tagged - and issue two DELETE requests (first for the tag, then for the digest)?

The OCI Distribution Spec supports this... (see end-9)

[mtrmac]

Thanks for your report.

Compare https://github.com/containers/skopeo/issues/1432 ; deleting a tag was historically not possible (apart from some … creative workaround, which wouldn’t work on the registry in question). The OCI spec has added that, but it’s not yet implemented (and I’m not sure that we can just change the API behavior).

[cfiderer]

Do you think an additional DELETE request for the tag (before deleting the digest) will break compatibility, if an error is reported but otherwise ignored? I assume the benefit will outweigh the API behavior change. (just my 2 cent)

Looking at the OCI Distribution Spec, deleting tags is specified at least since two years.