SH
SHELL
AI Powered Learning Portal
Module 11 Lesson 5: Image Lifecycle Management
·DevOps

Module 11 Lesson 5: Image Lifecycle Management

Keep your registry clean. Learn about image retention policies, cleaning up old tags, and why ignoring image bloat will eventually crash your cloud budget.

docker-registrycleanupretentioncosts

Module 11 Lesson 5: Image Lifecycle Management

If you build an image on every commit, and your team commits 100 times a day, your Registry will soon have 36,000 images per year. Storage is not free, and managing this "Bloat" is a key part of Production Ops.

1. Why Cleanup Matters

  1. Cost: AWS and GitHub charge for the GBs of storage your images take.
  2. Searchability: It becomes impossible to find the "Real" production image in a sea of 10,000 abandoned test images.
  3. Security: Older images have more vulnerabilities. If they are in your registry, someone might accidentally deploy them 2 years from now.

2. Retention Policies

Most registries (ECR, GHCR, Artifactory) allow you to set Automatic Rules for deletion.

  • Rule A: By Count: "Only keep the last 50 images for this app."
  • Rule B: By Age: "Delete any image that hasn't been pulled in 90 days."
  • Rule C: By Tag: "Never delete tags starting with prod-, but delete everything else after 7 days."

Visualizing the Process

graph TD
    Start[Input] --> Process[Processing]
    Process --> Decision{Check}
    Decision -->|Success| End[Complete]
    Decision -->|Retry| Process

3. Pruning on the Server

Don't forget the servers running the code!

  • When you docker pull a new version, the Old Version stays on the server's hard drive as a "Dangling" image.
  • The Solution: Run a weekly cron job on your servers: 
    docker image prune -a --filter "until=168h"
    (This deletes any image older than 1 week that is not currently being used by a running container).

4. Immutable Tags (Advanced Security)

Some registries allow you to mark tags as "Immutable."

  • Once v1.0.0 is pushed, it can NEVER be overwritten.
  • This prevents an attacker (who stolen your password) from replacing your good image with a malicious one while keeping the same name.

Exercise: The Budget Audit

  1. Identify a project you have pushed to a registry (like GitHub or Docker Hub).
  2. How many "Tags" are currently in that repository?
  3. How much total storage are they taking?
  4. If your registry costs $0.10 per GB/month, and you add 1GB of images every day, how much will you be paying in 1 year if you never cleanup?
  5. Research: How do you set a "Lifecycle Policy" in AWS ECR?

Conclusion of Module 11

You have mastered the Docker Supply Chain. You can build, test, push, and manage the entire lifecycle of your images from a local laptop all the way to a clean, automated production registry.

Next Module: The "Next Level" of containerization: Module 12: Moving to Orchestration (Docker Swarm and Kubernetes Basics).

Previous LessonModule 11 Lesson 4: Automated Testing with Docker
Next LessonModule 12 Lesson 1: What is Orchestration?

Subscribe to our newsletter

Get the latest posts delivered right to your inbox.

Subscribe on LinkedIn