1skopeo-copy(1)()                                              skopeo-copy(1)()
2
3
4

NAME

6       skopeo-copy  -  Copy an image (manifest, filesystem layers, signatures)
7       from one location to another.
8
9

SYNOPSIS

11       skopeo copy [--sign-by=key-ID] source-image destination-image
12
13

DESCRIPTION

15       Copy an image (manifest, filesystem layers, signatures) from one  loca‐
16       tion to another.
17
18
19       Uses  the  system's trust policy to validate images, rejects images not
20       trusted by the policy.
21
22
23       source-image use the "image name" format described above
24
25
26       destination-image use the "image name" format described above
27
28

OPTIONS

30       --all
31
32
33       If source-image refers to a list of images, instead of copying just the
34       image which matches the current OS and architecture (subject to the use
35       of the global  --override-os,  --override-arch  and  --override-variant
36       options),  attempt  to copy all of the images in the list, and the list
37       itself.
38
39
40       --authfile path
41
42
43       Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
44       ers/auth.json,  which  is set using podman login.  If the authorization
45       state is not found there, $HOME/.docker/config.json is  checked,  which
46       is set using docker login.
47
48
49       Note: You can also override the default path of the authentication file
50       by setting the REGISTRY_AUTH_FILE  environment  variable.  export  REG‐
51       ISTRY_AUTH_FILE=path
52
53
54       --src-authfile path
55
56
57       Path  of  the  authentication  file  for the source registry. Uses path
58       given by --authfile, if not provided.
59
60
61       --dest-authfile path
62
63
64       Path of the authentication file for the destination registry. Uses path
65       given by --authfile, if not provided.
66
67
68       --format,  -f  manifest-type  Manifest type (oci, v2s1, or v2s2) to use
69       when saving image to directory using the 'dir:' transport  (default  is
70       manifest type of source)
71
72
73       --quiet, -q suppress output information when copying images
74
75
76       --remove-signatures  do not copy signatures, if any, from source-image.
77       Necessary when copying a signed image to a destination which  does  not
78       support signatures.
79
80
81       --sign-by=key-id  add  a  signature using that key ID for an image name
82       corresponding to destination-image
83
84
85       --encryption-key Key a reference prefixed with the encryption  protocol
86       to  use.  The supported protocols are JWE, PGP and PKCS7. For instance,
87       jwe:/path/to/key.pem        or         pgp:admin@example.com         or
88       pkcs7:/path/to/x509-file. This feature is still experimental.
89
90
91       --decryption-key Key a reference required to perform decryption of con‐
92       tainer images. This should point to files which represent  keys  and/or
93       certificates  that can be used for decryption. Decryption will be tried
94       with all keys. This feature is still experimental.
95
96
97       --src-creds username[:password] for accessing the source registry
98
99
100       --dest-compress bool-value Compress tarball image layers when saving to
101       directory  using the 'dir' transport. (default is same compression type
102       as source)
103
104
105       --dest-oci-accept-uncompressed-layers  bool-value  Allow   uncompressed
106       image  layers  when  saving  to an OCI image using the 'oci' transport.
107       (default is to compress things that aren't compressed)
108
109
110       --dest-creds username[:password] for accessing the destination registry
111
112
113       --src-cert-dir path Use certificates at path (*.crt, *.cert, *.key)  to
114       connect to the source registry or daemon
115
116
117       --src-no-creds bool-value Access the registry anonymously.
118
119
120       --src-tls-verify  bool-value Require HTTPS and verify certificates when
121       talking to container source registry or daemon (defaults to true)
122
123
124       --dest-cert-dir path Use certificates at path (*.crt, *.cert, *.key) to
125       connect to the destination registry or daemon
126
127
128       --dest-no-creds bool-value  Access the registry anonymously.
129
130
131       --dest-tls-verify bool-value Require HTTPS and verify certificates when
132       talking to container destination registry or daemon (defaults to true)
133
134
135       --src-daemon-host host Copy from docker daemon at host. If host  starts
136       with  tcp://,  HTTPS  is enabled by default. To use plain HTTP, use the
137       form http:// (default is unix:///var/run/docker.sock).
138
139
140       --dest-daemon-host host Copy to docker daemon at host. If  host  starts
141       with  tcp://,  HTTPS  is enabled by default. To use plain HTTP, use the
142       form http:// (default is unix:///var/run/docker.sock).
143
144
145       Existing signatures, if any, are preserved as well.
146
147
148       --dest-compress-format format Specifies the compression format to  use.
149       Supported values are: gzip and zstd.
150
151
152       --dest-compress-level  format  Specifies  the compression level to use.
153       The value is specific to the compression algorithm used, e.g. for  zstd
154       the  accepted  values are in the range 1-20 (inclusive), while for gzip
155       it is 1-9 (inclusive).
156
157

EXAMPLES

159       To copy the layers of the docker.io busybox image to a local directory:
160
161
162              $ mkdir -p /var/lib/images/busybox
163              $ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
164              $ ls /var/lib/images/busybox/*
165                /tmp/busybox/2b8fd9751c4c0f5dd266fcae00707e67a2545ef34f9a29354585f93dac906749.tar
166                /tmp/busybox/manifest.json
167                /tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
168
169
170
171       To copy and sign an image:
172
173
174              # skopeo copy --sign-by dev@example.com container-storage:example/busybox:streaming docker://example/busybox:gold
175
176
177
178       To encrypt an image:
179
180
181              skopeo copy docker://docker.io/library/nginx:1.17.8 oci:local_nginx:1.17.8
182
183              openssl genrsa -out private.key 1024
184              openssl rsa -in private.key -pubout > public.key
185
186              skopeo  copy --encryption-key jwe:./public.key oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
187
188
189
190       To decrypt an image:
191
192
193              skopeo copy --decryption-key ./private.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
194
195
196
197       To copy encrypted image without decryption:
198
199
200              skopeo copy oci:try-encrypt:encrypted oci:try-encrypt-copy:encrypted
201
202
203
204       To decrypt an image that requires more than one key:
205
206
207              skopeo copy --decryption-key ./private1.key --decryption-key ./private2.key --decryption-key ./private3.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
208
209
210
211       Container images can also be  partially  encrypted  by  specifying  the
212       index of the layer. Layers are 0-indexed indices, with support for neg‐
213       ative indexing. i.e. 0 is the first layer, -1 is the last layer.
214
215
216       Let's say out of 3 layers that the image docker.io/library/nginx:1.17.8
217       is made up of, we only want to encrypt the 2nd layer,
218
219
220              skopeo  copy --encryption-key jwe:./public.key --encrypt-layer 1 oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
221
222
223

SEE ALSO

225       skopeo(1), podman-login(1), docker-login(1)
226
227

AUTHORS

229       Antonio  Murdaca runcom@redhat.com ⟨mailto:runcom@redhat.com⟩, Miloslav
230       Trmac mitr@redhat.com ⟨mailto:mitr@redhat.com⟩, Jhon Honce  jhonce@red‐
231       hat.com ⟨mailto:jhonce@redhat.com⟩
232
233
234
235                                                              skopeo-copy(1)()
Impressum