1buildah-push(1)             General Commands Manual            buildah-push(1)
2
3
4

NAME

6       buildah-push  -  Push an image, manifest list or image index from local
7       storage to elsewhere.
8
9

SYNOPSIS

11       buildah push [options] image [destination]
12
13

DESCRIPTION

15       Pushes an image from local storage to a specified  destination,  decom‐
16       pressing and recompessing layers as needed.
17
18

imageID

20       Image stored in local container/storage
21
22

DESTINATION

24       The  DESTINATION  is  a location to store container images. If omitted,
25       the source image parameter will be reused as destination.
26
27
28       The Image "DESTINATION" uses a "transport":"details"  format.  Multiple
29       transports are supported:
30
31
32       dir:path
33         An existing local directory path storing the manifest, layer tarballs
34       and signatures as individual files. This is a non-standardized  format,
35       primarily useful for debugging or noninvasive container inspection.
36
37
38       docker://docker-reference
39         An  image  in  a  registry implementing the "Docker Registry HTTP API
40       V2".  By  default,  uses  the   authorization   state   in   $XDG\_RUN‐
41       TIME\_DIR/containers/auth.json,  which is set using (buildah login). If
42       the authorization state is not found  there,  $HOME/.docker/config.json
43       is checked, which is set using (docker login).
44         If  docker-reference does not include a registry name, the image will
45       be pushed to a registry running on localhost.
46
47
48       docker-archive:path[:docker-reference]
49         An image is stored in the docker save formatted file.   docker-refer‐
50       ence  is only used when creating such a file, and it must not contain a
51       digest.
52
53
54       docker-daemon:docker-reference
55         An image _dockerreference stored in the docker daemon internal  stor‐
56       age.  If  _dockerreference does not begin with a valid registry name (a
57       domain name containing "." or the reserved name "localhost")  then  the
58       default  registry  name "docker.io" will be prepended. _dockerreference
59       must contain either a tag or  a  digest.  Alternatively,  when  reading
60       images, the format can also be docker-daemon:algo:digest (an image ID).
61
62
63       oci:path:tag
64         An image tag in a directory compliant with "Open Container Image Lay‐
65       out Specification" at path.
66
67
68       oci-archive:path:tag
69         An image tag in a tar archive compliant with  "Open  Container  Image
70       Layout Specification" at path.
71
72
73       If  the  transport  part  of  DESTINATION  is  omitted,  "docker://" is
74       assumed.
75
76

OPTIONS

78       --all
79
80
81       If specified image is a manifest list or image index, push  the  images
82       in addition to the list or index itself.
83
84
85       --authfile path
86
87
88       Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
89       ers/auth.json, which is set using buildah login.  If the  authorization
90       state  is  not found there, $HOME/.docker/config.json is checked, which
91       is set using docker login.
92
93
94       --cert-dir path
95
96
97       Use certificates at path (*.crt, *.cert, *.key) to connect to the  reg‐
98       istry.  The default certificates directory is /etc/containers/certs.d.
99
100
101       --creds creds
102
103
104       The  [username[:password]]  to use to authenticate with the registry if
105       required.  If one or both values  are  not  supplied,  a  command  line
106       prompt  will  appear  and  the  value  can be entered.  The password is
107       entered without echo.
108
109
110       --digestfile Digestfile
111
112
113       After copying the image, write the digest of the resulting image to the
114       file.
115
116
117       --disable-compression, -D
118
119
120       Don't compress copies of filesystem layers which will be pushed.
121
122
123       --encryption-key key
124
125
126       The  [protocol:keyfile] specifies the encryption protocol, which can be
127       JWE (RFC7516), PGP (RFC4880), and PKCS7 (RFC2315) and the key  material
128       required  for  image  encryption. For instance, jwe:/path/to/key.pem or
129       pgp:admin@example.com or pkcs7:/path/to/x509-file.
130
131
132       --encrypt-layer layer(s)
133
134
135       Layer(s) to encrypt: 0-indexed layer indices with support for  negative
136       indexing  (e.g.  0  is  the  first layer, -1 is the last layer). If not
137       defined, will encrypt all layers if encryption-key flag is specified.
138
139
140       --format, -f
141
142
143       Manifest Type (oci, v2s2, or v2s1) to use when pushing an image.  (Sup‐
144       ported for dir and docker transports)
145
146
147       --quiet, -q
148
149
150       When writing the output image, suppress progress output.
151
152
153       --remove-signatures
154
155
156       Don't copy signatures when pushing images.
157
158
159       --rm
160
161
162       When pushing a the manifest list or image index, delete them from local
163       storage if pushing succeeds.
164
165
166       --sign-by fingerprint
167
168
169       Sign the pushed image using the GPG key that matches the specified fin‐
170       gerprint.
171
172
173       --tls-verify bool-value
174
175
176       Require  HTTPS  and  verification  of certificates when talking to con‐
177       tainer registries (defaults to true).  TLS verification cannot be  used
178       when talking to an insecure registry.
179
180

EXAMPLE

182       This  example  pushes  the  image  specified  by the imageID to a local
183       directory in docker format.
184
185
186       # buildah push imageID dir:/path/to/image
187
188
189       This example pushes the image specified  by  the  imageID  to  a  local
190       directory in oci format.
191
192
193       # buildah push imageID oci:/path/to/layout:image:tag
194
195
196       This example pushes the image specified by the imageID to a tar archive
197       in oci format.
198
199
200       # buildah push imageID oci-archive:/path/to/archive:image:tag
201
202
203       This example pushes the image specified by the imageID to  a  container
204       registry named registry.example.com.
205
206
207       # buildah push imageID docker://registry.example.com/repository:tag
208
209
210       This  example  pushes the image specified by the imageID to a container
211       registry named registry.example.com and saves the digest in the  speci‐
212       fied digestfile.
213
214
215       #   buildah   push   --digestfile=/tmp/mydigest  imageID  docker://reg‐
216       istry.example.com/repository:tag
217
218
219       This  example  works  like   docker   push,   assuming   registry.exam‐
220       ple.com/my_image is a local image.
221
222
223       # buildah push registry.example.com/my_image
224
225
226       This  example  pushes  the  image specified by the imageID to a private
227       container registry named registry.example.com with authentication  from
228       /tmp/auths/myauths.json.
229
230
231       # buildah push --authfile /tmp/auths/myauths.json imageID docker://reg‐
232       istry.example.com/repository:tag
233
234
235       This example pushes the image specified by the imageID  and  puts  into
236       the local docker container store.
237
238
239       # buildah push imageID docker-daemon:image:tag
240
241
242       This example pushes the image specified by the imageID and puts it into
243       the registry on the localhost while turning off tls verification.
244        #   buildah   push    --tls-verify=false    imageID    docker://local‐
245       host:5000/my-imageID
246
247
248       This example pushes the image specified by the imageID and puts it into
249       the registry on the localhost using credentials  and  certificates  for
250       authentication.
251        #  buildah  push  --cert-dir  ~/auth  --tls-verify=true  --creds=user‐
252       name:password imageID docker://localhost:5000/my-imageID
253
254

ENVIRONMENT

256       BUILD_REGISTRY_SOURCES
257
258
259       BUILD_REGISTRY_SOURCES, if set, is treated as a JSON object which  con‐
260       tains  lists  of  registry  names  under  the  keys insecureRegistries,
261       blockedRegistries, and allowedRegistries.
262
263
264       When pushing an image to a registry, if the portion of the  destination
265       image  name  that corresponds to a registry is compared to the items in
266       the blockedRegistries list, and if it matches any  of  them,  the  push
267       attempt  is  denied.   If there are registries in the allowedRegistries
268       list, and the portion of the name that corresponds to the  registry  is
269       not in the list, the push attempt is denied.
270
271
272       TMPDIR The TMPDIR environment variable allows the user to specify where
273       temporary files are stored while pulling and pushing images.   Defaults
274       to '/var/tmp'.
275
276

FILES

278       registries.conf (/etc/containers/registries.conf)
279
280
281       registries.conf  is  the  configuration file which specifies which con‐
282       tainer registries should be consulted when completing image names which
283       do not include a registry or domain portion.
284
285
286       policy.json (/etc/containers/policy.json)
287
288
289       Signature  policy  file.   This  defines the trust policy for container
290       images.  Controls which container registries can be used for image, and
291       whether or not the tool should trust the images.
292
293

SEE ALSO

295       buildah(1),         buildah-login(1),        containers-policy.json(5),
296       docker-login(1), containers-registries.conf(5), buildah-manifest(1)
297
298
299
300buildah                            June 2017                   buildah-push(1)
Impressum