Images
dockmesh’s Images page shows every image on every host with size, age, in-use status, and vulnerability count (if scanning is enabled).
The list view
Section titled “The list view”Columns:
| Column | Description |
|---|---|
| Repository:Tag | Full image reference with digest tooltip |
| Image ID | Short SHA |
| Size | On-disk size, uncompressed |
| Created | When the image was built |
| Host | Which host holds this copy |
| In use | ✓ if at least one container uses this image |
| CVEs | Count from Grype scan (if enabled) |
Multiple hosts often have the same image — each copy is a separate row unless you group by repository.
Pulling images
Section titled “Pulling images”Actions → Pull image opens a dialog:
- Reference — e.g.
postgres:16-alpineorghcr.io/org/app:latest - Host — single host or broadcast to a tag
- Credentials — optional, uses the saved registry if the reference matches
Pull progress streams live with per-layer bars. On failure, the full error is shown (DNS, auth, rate-limit, etc.).
Registry authentication
Section titled “Registry authentication”For private registries, save credentials once under Registries in the sidebar (its own top-level page, not under Settings):
| Field | Example |
|---|---|
| Name | ghcr-private |
| URL | ghcr.io |
| Username | dockmesh-bot |
| Password / Token | ghp_... |
| Scope tags | optional — restrict the credential to hosts carrying matching tags |
Authentication uses the standard Docker registry v2 protocol — anything that accepts a Bearer token or HTTP Basic auth works:
- Docker Hub (anonymous or auth)
- GitHub Container Registry (
ghcr.io) - GitLab Container Registry (
registry.gitlab.com) - Harbor (private)
- Gitea registry
- Any other Docker v2-compatible registry
Cloud-provider registries with rotating tokens (AWS ECR, Google Artifact Registry) work too, but dockmesh has no native integration for the rotation: paste a current docker-login-compatible password and refresh it on your own schedule. For ECR that’s the output of aws ecr get-login-password; for GAR, an OAuth access token or the JSON service-account key in the password field.
Credentials are encrypted at rest with age, using the same key that protects stack .env files (DOCKMESH_SECRETS_KEY_PATH). The CA’s x509 material is a separate keypair.
Pruning
Section titled “Pruning”Over time, dangling images and old tags accumulate. dockmesh has three prune modes:
- Dangling only — images with
<none>tags, safe to remove - Unused — images not currently referenced by any container
- All but current — aggressive; keeps only images in use by running containers
Runs per-host on the active host filter. The button is disabled when the current selection has nothing to prune, and the confirm dialog spells out that the action cannot be undone.
Image pruning is a manual operation today — there’s no built-in scheduler. If you want a cron-driven prune, hit the REST endpoint (POST /api/v1/images/prune) from your own job runner with a scoped API token.
Inspect
Section titled “Inspect”Clicking an image shows:
- Full digest
- Layer-by-layer breakdown with size and creation command
- Environment and exposed ports from the manifest
- Architecture (
linux/amd64,linux/arm64, …) - Base image (if detectable)
- Vulnerability report (CVE list with severity, fixed version)
See also
Section titled “See also”- Vulnerability Scanning — Grype integration
- Containers — what uses an image
- Configuration — registry auth env vars for bootstrap