1skopeo-copy(1)()                                              skopeo-copy(1)()
2
3
4

NAME

6       skopeo-copy  -  Copy an image (manifest, filesystem layers, signatures)
7       from one location to another.
8
9

SYNOPSIS

11       skopeo copy [--sign-by=key-ID] source-image destination-image
12
13

DESCRIPTION

15       Copy an image (manifest, filesystem layers, signatures) from one  loca‐
16       tion to another.
17
18
19       Uses  the  system's trust policy to validate images, rejects images not
20       trusted by the policy.
21
22
23       source-image use the "image name" format described above
24
25
26       destination-image use the "image name" format described above
27
28
29       source-image and destination-image are interpreted completely  indepen‐
30       dently;  e.g.  the  destination name does not automatically inherit any
31       parts of the source name.
32
33

OPTIONS

35       --all
36
37
38       If source-image refers to a list of images, instead of copying just the
39       image which matches the current OS and architecture (subject to the use
40       of the global  --override-os,  --override-arch  and  --override-variant
41       options),  attempt  to copy all of the images in the list, and the list
42       itself.
43
44
45       --authfile path
46
47
48       Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
49       ers/auth.json,  which  is set using skopeo login.  If the authorization
50       state is not found there, $HOME/.docker/config.json is  checked,  which
51       is set using docker login.
52
53
54       Note: You can also override the default path of the authentication file
55       by setting the REGISTRY_AUTH_FILE  environment  variable.  export  REG‐
56       ISTRY_AUTH_FILE=path
57
58
59       --src-authfile path
60
61
62       Path  of  the  authentication  file  for the source registry. Uses path
63       given by --authfile, if not provided.
64
65
66       --dest-authfile path
67
68
69       Path of the authentication file for the destination registry. Uses path
70       given by --authfile, if not provided.
71
72
73       --format,  -f  manifest-type  Manifest type (oci, v2s1, or v2s2) to use
74       when saving image to directory using the 'dir:' transport  (default  is
75       manifest type of source)
76
77
78       --quiet, -q suppress output information when copying images
79
80
81       --remove-signatures  do not copy signatures, if any, from source-image.
82       Necessary when copying a signed image to a destination which  does  not
83       support signatures.
84
85
86       --sign-by=key-id  add  a  signature using that key ID for an image name
87       corresponding to destination-image
88
89
90       --encryption-key protocol:keyfile specifies  the  encryption  protocol,
91       which  can be JWE (RFC7516), PGP (RFC4880), and PKCS7 (RFC2315) and the
92       key   material   required   for   image   encryption.   For   instance,
93       jwe:/path/to/key.pem         or         pgp:admin@example.com        or
94       pkcs7:/path/to/x509-file.
95
96
97       --decryption-key key[:passphrase] to be used for decryption of  images.
98       Key  can  point  to  keys and/or certificates. Decryption will be tried
99       with all keys. If the key is protected by a passphrase, it is  required
100       to be passed in the argument and omitted otherwise.
101
102
103       --src-creds username[:password] for accessing the source registry.
104
105
106       --dest-compress bool-value Compress tarball image layers when saving to
107       directory using the 'dir' transport. (default is same compression  type
108       as source).
109
110
111       --dest-oci-accept-uncompressed-layers   bool-value  Allow  uncompressed
112       image layers when saving to an OCI image  using  the  'oci'  transport.
113       (default is to compress things that aren't compressed).
114
115
116       --dest-creds  username[:password]  for  accessing  the destination reg‐
117       istry.
118
119
120       --src-cert-dir path Use certificates at path (*.crt, *.cert, *.key)  to
121       connect to the source registry or daemon.
122
123
124       --src-no-creds bool-value Access the registry anonymously.
125
126
127       --src-tls-verify  bool-value Require HTTPS and verify certificates when
128       talking to container source registry or daemon (defaults to true).
129
130
131       --dest-cert-dir path Use certificates at path (*.crt, *.cert, *.key) to
132       connect to the destination registry or daemon.
133
134
135       --dest-no-creds bool-value  Access the registry anonymously.
136
137
138       --dest-tls-verify bool-value Require HTTPS and verify certificates when
139       talking to container destination registry or daemon (defaults to true).
140
141
142       --src-daemon-host host Copy from docker daemon at host. If host  starts
143       with  tcp://,  HTTPS  is enabled by default. To use plain HTTP, use the
144       form http:// (default is unix:///var/run/docker.sock).
145
146
147       --dest-daemon-host host Copy to docker daemon at host. If  host  starts
148       with  tcp://,  HTTPS  is enabled by default. To use plain HTTP, use the
149       form http:// (default is unix:///var/run/docker.sock).
150
151
152       Existing signatures, if any, are preserved as well.
153
154
155       --dest-compress-format format Specifies the compression format to  use.
156       Supported values are: gzip and zstd.
157
158
159       --dest-compress-level  format  Specifies  the compression level to use.
160       The value is specific to the compression algorithm used, e.g. for  zstd
161       the  accepted  values are in the range 1-20 (inclusive), while for gzip
162       it is 1-9 (inclusive).
163
164
165       --src-registry-token Bearer token for accessing the source registry.
166
167
168       --dest-registry-token Bearer token for accessing the  destination  reg‐
169       istry.
170
171

EXAMPLES

173       To just copy an image from one registry to another:
174
175
176              $ skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest
177
178
179
180       To copy the layers of the docker.io busybox image to a local directory:
181
182
183              $ mkdir -p /var/lib/images/busybox
184              $ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
185              $ ls /var/lib/images/busybox/*
186                /tmp/busybox/2b8fd9751c4c0f5dd266fcae00707e67a2545ef34f9a29354585f93dac906749.tar
187                /tmp/busybox/manifest.json
188                /tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
189
190
191
192       To copy and sign an image:
193
194
195              # skopeo copy --sign-by dev@example.com containers-storage:example/busybox:streaming docker://example/busybox:gold
196
197
198
199       To encrypt an image:
200
201
202              skopeo copy docker://docker.io/library/nginx:1.17.8 oci:local_nginx:1.17.8
203
204              openssl genrsa -out private.key 1024
205              openssl rsa -in private.key -pubout > public.key
206
207              skopeo  copy --encryption-key jwe:./public.key oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
208
209
210
211       To decrypt an image:
212
213
214              skopeo copy --decryption-key ./private.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
215
216
217
218       To copy encrypted image without decryption:
219
220
221              skopeo copy oci:try-encrypt:encrypted oci:try-encrypt-copy:encrypted
222
223
224
225       To decrypt an image that requires more than one key:
226
227
228              skopeo copy --decryption-key ./private1.key --decryption-key ./private2.key --decryption-key ./private3.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
229
230
231
232       Container  images  can  also  be  partially encrypted by specifying the
233       index of the layer. Layers are 0-indexed indices, with support for neg‐
234       ative indexing. i.e. 0 is the first layer, -1 is the last layer.
235
236
237       Let's say out of 3 layers that the image docker.io/library/nginx:1.17.8
238       is made up of, we only want to encrypt the 2nd layer,
239
240
241              skopeo  copy --encryption-key jwe:./public.key --encrypt-layer 1 oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
242
243
244

SEE ALSO

246       skopeo(1), skopeo-login(1),  docker-login(1),  containers-auth.json(5),
247       containers-policy.json(5), containers-transports(5)
248
249

AUTHORS

251       Antonio  Murdaca runcom@redhat.com ⟨mailto:runcom@redhat.com⟩, Miloslav
252       Trmac mitr@redhat.com ⟨mailto:mitr@redhat.com⟩, Jhon Honce  jhonce@red‐
253       hat.com ⟨mailto:jhonce@redhat.com⟩
254
255
256
257                                                              skopeo-copy(1)()
Impressum