You need to change the format used for images.used because that is also generated with the sha256 prefix. So right now it's trying to remove images that are in use.

Maybe it would be better to generate the exclude file in way so that it optionally matches the prefix?

Good catch, we shouldn't be trying to remove images used by existing containers I think I missed this because you can't force remove images if they're in use anyways.

ubuntu@testing:~$ docker rmi -f 0dc12b2
Failed to remove image (0dc12b2): Error response from daemon: conflict: unable to delete 0dc12b2 (cannot be forced) - image is being used by running container 0d322b2

Pertaining to modifying the exclude files to match the prefix how would that work? Depending on the docker version we want to ignore sha256: prepended to image ids. Generating the exlucde files to optionally match the prefix would make the code dependant on the docker version which I would personally like to avoid. Ideally the same code should work for all docker versions. Maybe here we can do this instead:

cat containers.keep |
xargs -n 1 $DOCKER inspect -f '{{.Image}}' | sed 's/sha256://' 2>/dev/null |
sort | uniq > images.used

Your thoughts?

something like this should work on both versions, also needs -E to the grep further down

     $DOCKER images \
         | tail -n+2 \
         | sed 's/^\([^ ]*\) *\([^ ]*\) *\([^ ]*\).*/ \1:\2 \3 /' \
         | grep -f $PROCESSED_EXCLUDES 2>/dev/null \
         | cut -d' ' -f3 \
-        | sed 's/^/^/' > $EXCLUDE_IDS_FILE
+        | sed 's/^/^(sha256:)?/' > $EXCLUDE_IDS_FILE

But I'm not really sure what I prefer. One issue I see with stripping the sha256 prefix is that there probably more places where a format like this will be produce and it could be hard to know we're not missing a spot.

Anyway I think this is up to the maintainers to decide I'm just another user seeing the same bug :)

While I was using it, i thought of the same solution as @keis