1OC ADM PRUNE(1)                    June 2016                   OC ADM PRUNE(1)
2
3
4

NAME

6       oc adm prune images - Remove unreferenced images
7
8
9

SYNOPSIS

11       oc adm prune images [OPTIONS]
12
13
14

DESCRIPTION

16       Remove image stream tags, images, and image layers by age or usage
17
18
19       This  command  removes historical image stream tags, unused images, and
20       unreferenced image layers from the integrated registry. By default, all
21       images  are  considered as candidates. The command can be instructed to
22       consider only images that have been directly pushed to the registry  by
23       supplying --all=false flag.
24
25
26       By default, the prune operation performs a dry run making no changes to
27       internal registry. A --confirm flag is needed for changes to be  effec‐
28       tive.  The  flag  requires  a valid route to the integrated Docker reg‐
29       istry. If this command is run outside of the cluster network, the route
30       needs to be provided using --registry-url.
31
32
33       Only  a  user  with a cluster role system:image-pruner or higher who is
34       logged-in will be able to actually delete the images.
35
36
37       If the registry is secured with a certificate signed by  a  self-signed
38       root certificate authority other than the one present in current user's
39       config, you may need to specify it using --certificate-authority flag.
40
41
42       Insecure connection is allowed in the following cases  unless  certifi‐
43       cate-authority is specified:
44
45       ·
46
47
48         · --force-insecure is given
49
50         · provided registry-url is prefixed with http://
51
52         · registry url is a private or link-local address
53
54         · user's config allows for insecure connection (the user logged in to
55         the cluster with --insecure-skip-tls-verify or allowed  for  insecure
56         connection)
57
58

OPTIONS

60       --all=true
61           Include  images that were imported from external registries as can‐
62       didates for pruning.  If pruned, all the  mirrored  objects  associated
63       with them will also be removed from the integrated registry.
64
65
66       --confirm=false
67           If  true,  specify  that  image pruning should proceed. Defaults to
68       false, displaying what would be deleted but not actually deleting  any‐
69       thing.  Requires  a  valid route to the integrated Docker registry (see
70       --registry-url).
71
72
73       --force-insecure=false
74           If true, allow an insecure connection to the docker  registry  that
75       is hosted via HTTP or has an invalid HTTPS certificate. Whenever possi‐
76       ble, use --certificate-authority instead of this dangerous option.
77
78
79       --ignore-invalid-refs=false
80           If true, the pruning process will ignore all errors  while  parsing
81       image  references.  This means that the pruning process will ignore the
82       intended connection between the object and the referenced image.  As  a
83       result an image may be incorrectly deleted as unused.
84
85
86       --keep-tag-revisions=3
87           Specify  the number of image revisions for a tag in an image stream
88       that will be preserved.
89
90
91       --keep-younger-than=0
92           Specify the minimum age of an image and its referrers for it to  be
93       considered a candidate for pruning.
94
95
96       --prune-over-size-limit=false
97           Specify  if  images  which  are  exceeding  LimitRanges (see 'open‐
98       shift.io/Image'), specified in the same namespace, should be considered
99       for  pruning. This flag cannot be combined with --keep-younger-than nor
100       --keep-tag-revisions.
101
102
103       --prune-registry=true
104           If false, the prune operation will clean up image API objects,  but
105       the  none  of the associated content in the registry is removed.  Note,
106       if only image API objects are cleaned up through use of this flag,  the
107       only  means for subsequently cleaning up registry data corresponding to
108       those image API objects is to employ the  'hard  prune'  administrative
109       task.
110
111
112       --registry-url=""
113           The  address  to use when contacting the registry, instead of using
114       the default value. This is useful if you can't  resolve  or  reach  the
115       registry  (e.g.; the default is a cluster-internal URL) but you do have
116       an alternative route that works. Particular transport protocol  can  be
117       enforced using '<scheme>://' prefix.
118
119
120

OPTIONS INHERITED FROM PARENT COMMANDS

122       --allow_verification_with_non_compliant_keys=false
123           Allow  a  SignatureVerifier  to  use  keys  which  are  technically
124       non-compliant with RFC6962.
125
126
127       --alsologtostderr=false
128           log to standard error as well as files
129
130
131       --application_metrics_count_limit=100
132           Max number of application metrics to store (per container)
133
134
135       --as=""
136           Username to impersonate for the operation
137
138
139       --as-group=[]
140           Group to impersonate for the operation, this flag can  be  repeated
141       to specify multiple groups.
142
143
144       --azure-container-registry-config=""
145           Path  to the file containing Azure container registry configuration
146       information.
147
148
149       --boot_id_file="/proc/sys/kernel/random/boot_id"
150           Comma-separated list of files to check for boot-id. Use  the  first
151       one that exists.
152
153
154       --cache-dir="/builddir/.kube/http-cache"
155           Default HTTP cache directory
156
157
158       --certificate-authority=""
159           Path to a cert file for the certificate authority
160
161
162       --client-certificate=""
163           Path to a client certificate file for TLS
164
165
166       --client-key=""
167           Path to a client key file for TLS
168
169
170       --cloud-provider-gce-lb-src-cidrs=130.211.0.0/22,209.85.152.0/22,209.85.204.0/22,35.191.0.0/16
171           CIDRs opened in GCE firewall for LB traffic proxy  health checks
172
173
174       --cluster=""
175           The name of the kubeconfig cluster to use
176
177
178       --container_hints="/etc/cadvisor/container_hints.json"
179           location of the container hints file
180
181
182       --containerd="unix:///var/run/containerd.sock"
183           containerd endpoint
184
185
186       --context=""
187           The name of the kubeconfig context to use
188
189
190       --default-not-ready-toleration-seconds=300
191           Indicates   the   tolerationSeconds   of   the    toleration    for
192       notReady:NoExecute  that is added by default to every pod that does not
193       already have such a toleration.
194
195
196       --default-unreachable-toleration-seconds=300
197           Indicates the tolerationSeconds  of  the  toleration  for  unreach‐
198       able:NoExecute  that  is  added  by  default to every pod that does not
199       already have such a toleration.
200
201
202       --docker="unix:///var/run/docker.sock"
203           docker endpoint
204
205
206       --docker-tls=false
207           use TLS to connect to docker
208
209
210       --docker-tls-ca="ca.pem"
211           path to trusted CA
212
213
214       --docker-tls-cert="cert.pem"
215           path to client certificate
216
217
218       --docker-tls-key="key.pem"
219           path to private key
220
221
222       --docker_env_metadata_whitelist=""
223           a comma-separated list of environment variable keys that  needs  to
224       be collected for docker containers
225
226
227       --docker_only=false
228           Only report docker containers in addition to root stats
229
230
231       --docker_root="/var/lib/docker"
232           DEPRECATED:  docker  root is read from docker info (this is a fall‐
233       back, default: /var/lib/docker)
234
235
236       --enable_load_reader=false
237           Whether to enable cpu load reader
238
239
240       --event_storage_age_limit="default=24h"
241           Max length of time for which to store events (per type). Value is a
242       comma  separated  list  of  key  values, where the keys are event types
243       (e.g.: creation, oom) or "default" and the value is a duration. Default
244       is applied to all non-specified event types
245
246
247       --event_storage_event_limit="default=100000"
248           Max  number  of  events to store (per type). Value is a comma sepa‐
249       rated list of key values, where the keys are event  types  (e.g.:  cre‐
250       ation,  oom)  or  "default"  and  the  value  is an integer. Default is
251       applied to all non-specified event types
252
253
254       --global_housekeeping_interval=0
255           Interval between global housekeepings
256
257
258       --housekeeping_interval=0
259           Interval between container housekeepings
260
261
262       --insecure-skip-tls-verify=false
263           If true, the server's certificate will not be checked for validity.
264       This will make your HTTPS connections insecure
265
266
267       --kubeconfig=""
268           Path to the kubeconfig file to use for CLI requests.
269
270
271       --log-flush-frequency=0
272           Maximum number of seconds between log flushes
273
274
275       --log_backtrace_at=:0
276           when logging hits line file:N, emit a stack trace
277
278
279       --log_cadvisor_usage=false
280           Whether to log the usage of the cAdvisor container
281
282
283       --log_dir=""
284           If non-empty, write log files in this directory
285
286
287       --logtostderr=true
288           log to standard error instead of files
289
290
291       --machine_id_file="/etc/machine-id,/var/lib/dbus/machine-id"
292           Comma-separated  list  of  files  to  check for machine-id. Use the
293       first one that exists.
294
295
296       --match-server-version=false
297           Require server version to match client version
298
299
300       -n, --namespace=""
301           If present, the namespace scope for this CLI request
302
303
304       --request-timeout="0"
305           The length of time to wait before giving  up  on  a  single  server
306       request. Non-zero values should contain a corresponding time unit (e.g.
307       1s, 2m, 3h). A value of zero means don't timeout requests.
308
309
310       -s, --server=""
311           The address and port of the Kubernetes API server
312
313
314       --stderrthreshold=2
315           logs at or above this threshold go to stderr
316
317
318       --storage_driver_buffer_duration=0
319           Writes in the storage driver will be buffered  for  this  duration,
320       and committed to the non memory backends as a single transaction
321
322
323       --storage_driver_db="cadvisor"
324           database name
325
326
327       --storage_driver_host="localhost:8086"
328           database host:port
329
330
331       --storage_driver_password="root"
332           database password
333
334
335       --storage_driver_secure=false
336           use secure connection with database
337
338
339       --storage_driver_table="stats"
340           table name
341
342
343       --storage_driver_user="root"
344           database username
345
346
347       --token=""
348           Bearer token for authentication to the API server
349
350
351       --user=""
352           The name of the kubeconfig user to use
353
354
355       -v, --v=0
356           log level for V logs
357
358
359       --version=false
360           Print version information and quit
361
362
363       --vmodule=
364           comma-separated  list  of pattern=N settings for file-filtered log‐
365       ging
366
367
368

EXAMPLE

370                # See, what the prune command would delete if only images and their referrers were more than an hour old
371                # and obsoleted by 3 newer revisions under the same tag were considered.
372                oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m
373
374                # To actually perform the prune operation, the confirm flag must be appended
375                oc adm prune images --keep-tag-revisions=3 --keep-younger-than=60m --confirm
376
377                # See, what the prune command would delete if we're interested in removing images
378                # exceeding currently set limit ranges ('openshift.io/Image')
379                oc adm prune images --prune-over-size-limit
380
381                # To actually perform the prune operation, the confirm flag must be appended
382                oc adm prune images --prune-over-size-limit --confirm
383
384                # Force the insecure http protocol with the particular registry host name
385                oc adm prune images --registry-url=http://registry.example.org --confirm
386
387                # Force a secure connection with a custom certificate authority to the particular registry host name
388                oc adm prune images --registry-url=registry.example.org --certificate-authority=/path/to/custom/ca.crt --confirm
389
390
391
392

SEE ALSO

394       oc-adm-prune(1),
395
396
397

HISTORY

399       June 2016, Ported from the Kubernetes man-doc generator
400
401
402
403Openshift                  Openshift CLI User Manuals          OC ADM PRUNE(1)
Impressum