1podman-pull(1) General Commands Manual podman-pull(1)
2
6 podman-pull - Pull an image from a registry
7
10 podman pull [options] source [source...]
11 podman image pull [options] source [source...]
14 podman pull [options] [transport]name[:tag|@digest]
17 podman image pull [options] [transport]name[:tag|@digest]
20
23 podman pull copies an image from a registry onto the local machine. The
24 command can pull one or more images. If the image reference in the
25 command line argument does not contain a registry, it is referred to as
26 ashort-name reference. If the image is a 'short-name' reference, Podman
27 prompts the user for the specific container registry to pull the image
28 from, if an alias for the short-name has not been specified in the
29 short-name-aliases.conf. If an image tag is not specified, podman pull
30 defaults to the image with the latest tag (if it exists) and pulls it.
31 After the image is pulled, podman prints the full image ID. podman
32 pull can also pull images using a digest podman pull image@digest and
33 can also be used to pull images from archives and local storage using
34 different transports. IMPORTANT: Images are stored in local image
35 storage.
36
39 SOURCE is the location from which the container image is pulled from.
40 It supports all transports from containers-transports(5). If no trans‐
41 port is specified, the input is subject to short-name resolution and
42 the docker (i.e., container registry) transport is used. For remote
43 clients, including Mac and Windows (excluding WSL2) machines, docker is
44 the only supported transport.
45 # Pull from a container registry
47 $ podman pull quay.io/username/myimage
48 # Pull from a container registry with short-name resolution
50 $ podman pull fedora
51 # Pull from a container registry via the docker transport
53 $ podman pull docker://quay.io/username/myimage
54 # Pull from a local directory
56 $ podman pull dir:/tmp/myimage
57 # Pull from a tarball in the docker-archive format
59 $ podman pull docker-archive:/tmp/myimage
60 # Pull from a local docker daemon
62 $ sudo podman pull docker-daemon:docker.io/library/myimage:33
63 # Pull from a tarball in the OCI-archive format
65 $ podman pull oci-archive:/tmp/myimage
66
70 --all-tags, -a
71 All tagged images in the repository are pulled.
72 *IMPORTANT: When using the all-tags flag, Podman does not iterate over
75 the search registries in the containers-registries.conf(5) but always
76 uses docker.io for unqualified image names.*
77 --arch=ARCH
80 Override the architecture, defaults to hosts, of the image to be
81 pulled. For example, arm. Unless overridden, subsequent lookups of the
82 same image in the local storage matches this architecture, regardless
83 of the host.
84 --authfile=path
87 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
88 ers/auth.json on Linux, and $HOME/.config/containers/auth.json on Win‐
89 dows/macOS. The file is created by podman login. If the authorization
90 state is not found there, $HOME/.docker/config.json is checked, which
91 is set using docker login.
92 Note: There is also the option to override the default path of the au‐
95 thentication file by setting the REGISTRY_AUTH_FILE environment vari‐
96 able. This can be done with export REGISTRY_AUTH_FILE=path.
97 --cert-dir=path
100 Use certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
101 istry. (Default: /etc/containers/certs.d) For details, see containers-
102 certs.d(5). (This option is not available with the remote Podman
103 client, including Mac and Windows (excluding WSL2) machines)
104 --creds=[username[:password]]
107 The [username[:password]] to use to authenticate with the registry, if
108 required. If one or both values are not supplied, a command line
109 prompt appears and the value can be entered. The password is entered
110 without echo.
111 Note that the specified credentials are only used to authenticate
114 against target registries. They are not used for mirrors or when the
115 registry gets rewritten (see containers-registries.conf(5)); to authen‐
116 ticate against those consider using a containers-auth.json(5) file.
117 --decryption-key=key[:passphrase]
120 The [key[:passphrase]] to be used for decryption of images. Key can
121 point to keys and/or certificates. Decryption is tried with all keys.
122 If the key is protected by a passphrase, it is required to be passed in
123 the argument and omitted otherwise.
124 --disable-content-trust
127 This is a Docker-specific option to disable image verification to a
128 container registry and is not supported by Podman. This option is a
129 NOOP and provided solely for scripting compatibility.
130 --help, -h
133 Print the usage statement.
134 --os=OS
137 Override the OS, defaults to hosts, of the image to be pulled. For ex‐
138 ample, windows. Unless overridden, subsequent lookups of the same im‐
139 age in the local storage matches this OS, regardless of the host.
140 --platform=OS/ARCH
143 Specify the platform for selecting the image. (Conflicts with --arch
144 and --os) The --platform option can be used to override the current ar‐
145 chitecture and operating system. Unless overridden, subsequent lookups
146 of the same image in the local storage matches this platform, regard‐
147 less of the host.
148 --quiet, -q
151 Suppress output information when pulling images
152 --tls-verify
155 Require HTTPS and verify certificates when contacting registries (de‐
156 fault: true). If explicitly set to true, TLS verification is used. If
157 set to false, TLS verification is not used. If not specified, TLS ver‐
158 ification is used unless the target registry is listed as an insecure
159 registry in containers-registries.conf(5)
160 --variant=VARIANT
163 Use VARIANT instead of the default architecture variant of the con‐
164 tainer image. Some images can use multiple variants of the arm archi‐
165 tectures, such as arm/v5 and arm/v7.
166
169 short-name-aliases.conf (/var/cache/containers/short-name-aliases.conf,
170 $HOME/.cache/containers/short-name-aliases.conf)
171 When users specify images that do not include the container registry
174 where the image is stored, this is called a short name. The use of un‐
175 qualified-search registries entails an ambiguity as it is unclear from
176 which registry a given image, referenced by a short name, may be pulled
177 from.
178 Using short names is subject to the risk of hitting squatted registry
181 namespaces. If the unqualified-search registries are set to ["public-
182 registry.com", "my-private-registry.com"] an attacker may take over a
183 namespace of public-registry.com such that an image may be pulled from
184 public-registry.com instead of the intended source my-private-reg‐
185 istry.com.
186 While it is highly recommended to always use fully-qualified image ref‐
189 erences, existing deployments using short names may not be easily
190 changed. To circumvent the aforementioned ambiguity, so called short-
191 name aliases can be configured that point to a fully-qualified image
192 reference. Distributions often ship a default shortnames.conf expansion
193 file in /etc/containers/registries.conf.d/ directory. Administrators
194 can use this directory to add their own local short-name expansion
195 files.
196 When pulling an image, if the user does not specify the complete reg‐
199 istry, container engines attempt to expand the short-name into a full
200 name. If the command is executed with a tty, the user is prompted to
201 select a registry from the default list unqualified registries defined
202 in registries.conf. The user's selection is then stored in a cache file
203 to be used in all future short-name expansions. Rootful short-names are
204 stored in /var/cache/containers/short-name-aliases.conf. Rootless
205 short-names are stored in the $HOME/.cache/containers/short-name-
206 aliases.conf file.
207 For more information on short-names, see containers-registries.conf(5)
210 registries.conf (/etc/containers/registries.conf)
213 registries.conf is the configuration file which specifies which con‐
216 tainer registries is consulted when completing image names which do not
217 include a registry or domain portion.
218 NOTE: Use the environment variable TMPDIR to change the temporary stor‐
221 age location of downloaded container images. Podman defaults to use
222 /var/tmp.
223
226 Pull a single image with short name resolution.
227 $ podman pull alpine:latest
229 Resolved "alpine" as an alias (/etc/containers/registries.conf.d/000-shortnames.conf)
230 Trying to pull docker.io/library/alpine:latest...
231 Getting image source signatures
232 Copying blob 5843afab3874 done
233 Copying config d4ff818577 done
234 Writing manifest to image destination
235 Storing signatures
236 d4ff818577bc193b309b355b02ebc9220427090057b54a59e73b79bdfe139b83
237 Pull multiple images with/without short name resolution.
241 podman pull busybox:musl alpine quay.io/libpod/cirros
243 Trying to pull docker.io/library/busybox:musl...
244 Getting image source signatures
245 Copying blob 0c52b060233b [--------------------------------------] 0.0b / 0.0b
246 Copying config 9ad2c435a8 done
247 Writing manifest to image destination
248 Storing signatures
249 9ad2c435a887e3f723654e09b48563de44aa3c7950246b2e9305ec85dd3422db
250 Trying to pull docker.io/library/alpine:latest...
251 Getting image source signatures
252 Copying blob 5843afab3874 [--------------------------------------] 0.0b / 0.0b
253 Copying config d4ff818577 done
254 Writing manifest to image destination
255 Storing signatures
256 d4ff818577bc193b309b355b02ebc9220427090057b54a59e73b79bdfe139b83
257 Trying to pull quay.io/libpod/cirros:latest...
258 Getting image source signatures
259 Copying blob 8da581cc9286 done
260 Copying blob 856628d95d17 done
261 Copying blob f513001ba4ab done
262 Copying config 3c82e4d066 done
263 Writing manifest to image destination
264 Storing signatures
265 3c82e4d066cf6f9e50efaead6e3ff7fddddf5527826afd68e5a969579fc4db4a
266 Pull an image using its digest.
270 $ podman pull alpine@sha256:d7342993700f8cd7aba8496c2d0e57be0666e80b4c441925fc6f9361fa81d10e
272 Trying to pull docker.io/library/alpine@sha256:d7342993700f8cd7aba8496c2d0e57be0666e80b4c441925fc6f9361fa81d10e...
273 Getting image source signatures
274 Copying blob 188c0c94c7c5 done
275 Copying config d6e46aa247 done
276 Writing manifest to image destination
277 Storing signatures
278 d6e46aa2470df1d32034c6707c8041158b652f38d2a9ae3d7ad7e7532d22ebe0
279 Pull an image by specifying an authentication file.
283 $ podman pull --authfile temp-auths/myauths.json docker://docker.io/umohnani/finaltest
285 Trying to pull docker.io/umohnani/finaltest:latest...Getting image source signatures
286 Copying blob sha256:6d987f6f42797d81a318c40d442369ba3dc124883a0964d40b0c8f4f7561d913
287 1.90 MB / 1.90 MB [========================================================] 0s
288 Copying config sha256:ad4686094d8f0186ec8249fc4917b71faa2c1030d7b5a025c29f26e19d95c156
289 1.41 KB / 1.41 KB [========================================================] 0s
290 Writing manifest to image destination
291 Storing signatures
292 03290064078cb797f3e0a530e78c20c13dd22a3dd3adf84a5da2127b48df0438
293 Pull an image by authenticating to a registry.
297 $ podman pull --creds testuser:testpassword docker.io/umohnani/finaltest
299 Trying to pull docker.io/umohnani/finaltest:latest...Getting image source signatures
300 Copying blob sha256:6d987f6f42797d81a318c40d442369ba3dc124883a0964d40b0c8f4f7561d913
301 1.90 MB / 1.90 MB [========================================================] 0s
302 Copying config sha256:ad4686094d8f0186ec8249fc4917b71faa2c1030d7b5a025c29f26e19d95c156
303 1.41 KB / 1.41 KB [========================================================] 0s
304 Writing manifest to image destination
305 Storing signatures
306 03290064078cb797f3e0a530e78c20c13dd22a3dd3adf84a5da2127b48df0438
307 Pull an image using tls verification.
311 $ podman pull --tls-verify=false --cert-dir image/certs docker.io/umohnani/finaltest
313 Trying to pull docker.io/umohnani/finaltest:latest...Getting image source signatures
314 Copying blob sha256:6d987f6f42797d81a318c40d442369ba3dc124883a0964d40b0c8f4f7561d913
315 1.90 MB / 1.90 MB [========================================================] 0s
316 Copying config sha256:ad4686094d8f0186ec8249fc4917b71faa2c1030d7b5a025c29f26e19d95c156
317 1.41 KB / 1.41 KB [========================================================] 0s
318 Writing manifest to image destination
319 Storing signatures
320 03290064078cb797f3e0a530e78c20c13dd22a3dd3adf84a5da2127b48df0438
321 Pull an image by overriding the host architecture.
325 $ podman pull --arch=arm arm32v7/debian:stretch
327 Trying to pull docker.io/arm32v7/debian:stretch...
328 Getting image source signatures
329 Copying blob b531ae4a3925 done
330 Copying config 3cba58dad5 done
331 Writing manifest to image destination
332 Storing signatures
333 3cba58dad5d9b35e755b48b634acb3fdd185ab1c996ac11510cc72c17780e13c
334
338 podman(1), podman-push(1), podman-login(1), containers-certs.d(5), con‐
339 tainers-registries.conf(5), containers-transports(5)
340
343 July 2017, Originally compiled by Urvashi Mohnani umohnani@redhat.com
344 ⟨mailto:umohnani@redhat.com⟩
345 podman-pull(1)