1skopeo-copy(1)() skopeo-copy(1)()
2
6 skopeo-copy - Copy an image (manifest, filesystem layers, signatures)
7 from one location to another.
8
11 skopeo copy [--sign-by=key-ID] source-image destination-image
12
15 Copy an image (manifest, filesystem layers, signatures) from one loca‐
16 tion to another.
17 Uses the system's trust policy to validate images, rejects images not
20 trusted by the policy.
21 source-image use the "image name" format described above
24 destination-image use the "image name" format described above
27 source-image and destination-image are interpreted completely indepen‐
30 dently; e.g. the destination name does not automatically inherit any
31 parts of the source name.
32
35 --all
36 If source-image refers to a list of images, instead of copying just the
39 image which matches the current OS and architecture (subject to the use
40 of the global --override-os, --override-arch and --override-variant
41 options), attempt to copy all of the images in the list, and the list
42 itself.
43 --authfile path
46 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
49 ers/auth.json, which is set using skopeo login. If the authorization
50 state is not found there, $HOME/.docker/config.json is checked, which
51 is set using docker login.
52 Note: You can also override the default path of the authentication file
55 by setting the REGISTRY_AUTH_FILE environment variable. export REG‐
56 ISTRY_AUTH_FILE=path
57 --src-authfile path
60 Path of the authentication file for the source registry. Uses path
63 given by --authfile, if not provided.
64 --dest-authfile path
67 Path of the authentication file for the destination registry. Uses path
70 given by --authfile, if not provided.
71 --format, -f manifest-type Manifest type (oci, v2s1, or v2s2) to use
74 when saving image to directory using the 'dir:' transport (default is
75 manifest type of source)
76 --quiet, -q suppress output information when copying images
79 --remove-signatures do not copy signatures, if any, from source-image.
82 Necessary when copying a signed image to a destination which does not
83 support signatures.
84 --sign-by=key-id add a signature using that key ID for an image name
87 corresponding to destination-image
88 --encryption-key protocol:keyfile specifies the encryption protocol,
91 which can be JWE (RFC7516), PGP (RFC4880), and PKCS7 (RFC2315) and the
92 key material required for image encryption. For instance,
93 jwe:/path/to/key.pem or pgp:admin@example.com or
94 pkcs7:/path/to/x509-file.
95 --decryption-key key[:passphrase] to be used for decryption of images.
98 Key can point to keys and/or certificates. Decryption will be tried
99 with all keys. If the key is protected by a passphrase, it is required
100 to be passed in the argument and omitted otherwise.
101 --src-creds username[:password] for accessing the source registry.
104 --dest-compress bool-value Compress tarball image layers when saving to
107 directory using the 'dir' transport. (default is same compression type
108 as source).
109 --dest-oci-accept-uncompressed-layers bool-value Allow uncompressed
112 image layers when saving to an OCI image using the 'oci' transport.
113 (default is to compress things that aren't compressed).
114 --dest-creds username[:password] for accessing the destination reg‐
117 istry.
118 --src-cert-dir path Use certificates at path (*.crt, *.cert, *.key) to
121 connect to the source registry or daemon.
122 --src-no-creds bool-value Access the registry anonymously.
125 --src-tls-verify bool-value Require HTTPS and verify certificates when
128 talking to container source registry or daemon (defaults to true).
129 --dest-cert-dir path Use certificates at path (*.crt, *.cert, *.key) to
132 connect to the destination registry or daemon.
133 --dest-no-creds bool-value Access the registry anonymously.
136 --dest-tls-verify bool-value Require HTTPS and verify certificates when
139 talking to container destination registry or daemon (defaults to true).
140 --src-daemon-host host Copy from docker daemon at host. If host starts
143 with tcp://, HTTPS is enabled by default. To use plain HTTP, use the
144 form http:// (default is unix:///var/run/docker.sock).
145 --dest-daemon-host host Copy to docker daemon at host. If host starts
148 with tcp://, HTTPS is enabled by default. To use plain HTTP, use the
149 form http:// (default is unix:///var/run/docker.sock).
150 Existing signatures, if any, are preserved as well.
153 --dest-compress-format format Specifies the compression format to use.
156 Supported values are: gzip and zstd.
157 --dest-compress-level format Specifies the compression level to use.
160 The value is specific to the compression algorithm used, e.g. for zstd
161 the accepted values are in the range 1-20 (inclusive), while for gzip
162 it is 1-9 (inclusive).
163 --src-registry-token Bearer token for accessing the source registry.
166 --dest-registry-token Bearer token for accessing the destination reg‐
169 istry.
170
173 To just copy an image from one registry to another:
174 $ skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest
177 To copy the layers of the docker.io busybox image to a local directory:
181 $ mkdir -p /var/lib/images/busybox
184 $ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
185 $ ls /var/lib/images/busybox/*
186 /tmp/busybox/2b8fd9751c4c0f5dd266fcae00707e67a2545ef34f9a29354585f93dac906749.tar
187 /tmp/busybox/manifest.json
188 /tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
189 To copy and sign an image:
193 # skopeo copy --sign-by dev@example.com containers-storage:example/busybox:streaming docker://example/busybox:gold
196 To encrypt an image:
200 skopeo copy docker://docker.io/library/nginx:1.17.8 oci:local_nginx:1.17.8
203 openssl genrsa -out private.key 1024
205 openssl rsa -in private.key -pubout > public.key
206 skopeo copy --encryption-key jwe:./public.key oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
208 To decrypt an image:
212 skopeo copy --decryption-key ./private.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
215 To copy encrypted image without decryption:
219 skopeo copy oci:try-encrypt:encrypted oci:try-encrypt-copy:encrypted
222 To decrypt an image that requires more than one key:
226 skopeo copy --decryption-key ./private1.key --decryption-key ./private2.key --decryption-key ./private3.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
229 Container images can also be partially encrypted by specifying the
233 index of the layer. Layers are 0-indexed indices, with support for neg‐
234 ative indexing. i.e. 0 is the first layer, -1 is the last layer.
235 Let's say out of 3 layers that the image docker.io/library/nginx:1.17.8
238 is made up of, we only want to encrypt the 2nd layer,
239 skopeo copy --encryption-key jwe:./public.key --encrypt-layer 1 oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
242
246 skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5),
247 containers-policy.json(5), containers-transports(5)
248
251 Antonio Murdaca runcom@redhat.com ⟨mailto:runcom@redhat.com⟩, Miloslav
252 Trmac mitr@redhat.com ⟨mailto:mitr@redhat.com⟩, Jhon Honce jhonce@red‐
253 hat.com ⟨mailto:jhonce@redhat.com⟩
254 skopeo-copy(1)()