1skopeo-sync(1)() skopeo-sync(1)()
2
3
4
6 skopeo-sync - Synchronize images between container registries and local
7 directories.
8
9
11 skopeo sync --src transport --dest transport source destination
12
13
15 Synchronize images between container registries and local directories.
16 The synchronization is achieved by copying all the images found at
17 source to destination.
18
19
20 Useful to synchronize a local container registry mirror, and to to pop‐
21 ulate registries running inside of air-gapped environments.
22
23
24 Differently from other skopeo commands, skopeo sync requires both
25 source and destination transports to be specified separately from
26 source and destination. One of the problems of prefixing a destination
27 with its transport is that, the registry docker://hostname:port would
28 be wrongly interpreted as an image reference at a non-fully qualified
29 registry, with hostname and port the image name and tag.
30
31
32 Available source transports:
33 - docker (i.e. --src docker): source is a repository hosted on a con‐
34 tainer registry (e.g.: registry.example.com/busybox).
35 If no image tag is specified, skopeo sync copies all the tags found in
36 that repository.
37 - dir (i.e. --src dir): source is a local directory path (e.g.:
38 /media/usb/). Refer to skopeo(1) dir:path for the local image format.
39 - yaml (i.e. --src yaml): source is local YAML file path.
40 The YAML file should specify the list of images copied from different
41 container registries (local directories are not supported). Refer to
42 EXAMPLES for the file format.
43
44
45 Available destination transports:
46 - docker (i.e. --dest docker): destination is a container registry
47 (e.g.: my-registry.local.lan).
48 - dir (i.e. --dest dir): destination is a local directory path (e.g.:
49 /media/usb/).
50 One directory per source 'image:tag' is created for each copied image.
51
52
53 When the --scoped option is specified, images are prefixed with the
54 source image path so that multiple images with the same name can be
55 stored at destination.
56
57
59 --authfile path
60
61
62 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
63 ers/auth.json, which is set using podman login. If the authorization
64 state is not found there, $HOME/.docker/config.json is checked, which
65 is set using docker login.
66
67
68 --src-authfile path
69
70
71 Path of the authentication file for the source registry. Uses path
72 given by --authfile, if not provided.
73
74
75 --dest-authfile path
76
77
78 Path of the authentication file for the destination registry. Uses path
79 given by --authfile, if not provided.
80
81
82 --src transport Transport for the source repository.
83
84
85 --dest transport Destination transport.
86
87
88 --scoped Prefix images with the source image path, so that multiple
89 images with the same name can be stored at destination.
90
91
92 --remove-signatures Do not copy signatures, if any, from source-image.
93 This is necessary when copying a signed image to a destination which
94 does not support signatures.
95
96
97 --sign-by=key-id Add a signature using that key ID for an image name
98 corresponding to destination-image.
99
100
101 --src-creds username[:password] for accessing the source registry.
102
103
104 --dest-creds username[:password] for accessing the destination reg‐
105 istry.
106
107
108 --src-cert-dir path Use certificates (*.crt, *.cert, *.key) at path to
109 connect to the source registry or daemon.
110
111
112 --src-no-creds bool-value Access the registry anonymously.
113
114
115 --src-tls-verify bool-value Require HTTPS and verify certificates when
116 talking to a container source registry or daemon (defaults to true).
117
118
119 --dest-cert-dir path Use certificates (*.crt, *.cert, *.key) at path to
120 connect to the destination registry or daemon.
121
122
123 --dest-no-creds bool-value Access the registry anonymously.
124
125
126 --dest-tls-verify bool-value Require HTTPS and verify certificates when
127 talking to a container destination registry or daemon (defaults to
128 true).
129
130
132 Synchronizing to a local directory
133 $ skopeo sync --src docker --dest dir registry.example.com/busybox /media/usb
134
135
136
137 Images are located at:
138
139
140 /media/usb/busybox:1-glibc
141 /media/usb/busybox:1-musl
142 /media/usb/busybox:1-ubuntu
143 /media/usb/busybox:latest
144
145
146
147 Synchronizing to a local directory, scoped
148 $ skopeo sync --src docker --dest dir --scoped registry.example.com/busybox /media/usb
149
150
151
152 Images are located at:
153
154
155 /media/usb/registry.example.com/busybox:1-glibc
156 /media/usb/registry.example.com/busybox:1-musl
157 /media/usb/registry.example.com/busybox:1-ubuntu
158 /media/usb/registry.example.com/busybox:latest
159
160
161
162 Synchronizing to a container registry
163 skopeo sync --src docker --dest docker registry.example.com/busybox my-registry.local.lan
164
165
166
167 Destination registry content:
168
169
170 REPO TAGS
171 registry.local.lan/busybox 1-glibc, 1-musl, 1-ubuntu, ..., latest
172
173
174
175 Synchronizing to a container registry keeping the repository
176 skopeo sync --src docker --dest docker registry.example.com/repo/busybox my-registry.local.lan/repo
177
178
179
180 Destination registry content:
181
182
183 REPO TAGS
184 registry.local.lan/repo/busybox 1-glibc, 1-musl, 1-ubuntu, ..., latest
185
186
187
188 YAML file content (used source for **--src yaml**)
189 registry.example.com:
190 images:
191 busybox: []
192 redis:
193 - "1.0"
194 - "2.0"
195 credentials:
196 username: john
197 password: this is a secret
198 tls-verify: true
199 cert-dir: /home/john/certs
200 quay.io:
201 tls-verify: false
202 images:
203 coreos/etcd:
204 - latest
205
206
207
208 This will copy the following images: - Repository registry.exam‐
209 ple.com/busybox: all images, as no tags are specified. - Repository
210 registry.example.com/redis: images tagged "1.0" and "2.0". - Reposi‐
211 tory quay.io/coreos/etcd: images tagged "latest".
212
213
214 For the registry registry.example.com, the "john"/"this is a secret"
215 credentials are used, with server TLS certificates located at
216 /home/john/certs.
217
218
219 TLS verification is normally enabled, and it can be disabled setting
220 tls-verify to true. In the above example, TLS verification is enabled
221 for reigstry.example.com, while is disabled for quay.io.
222
223
225 skopeo(1), podman-login(1), docker-login(1)
226
227
229 Flavio Castelli fcastelli@suse.com ⟨mailto:fcastelli@suse.com⟩, Marco
230 Vedovati mvedovati@suse.com ⟨mailto:mvedovati@suse.com⟩
231
232
233
234 skopeo-sync(1)()