1skopeo-copy(1)() skopeo-copy(1)()
2
3
4
6 skopeo-copy - Copy an image (manifest, filesystem layers, signatures)
7 from one location to another.
8
9
11 skopeo copy [--sign-by=key-ID] source-image destination-image
12
13
15 Copy an image (manifest, filesystem layers, signatures) from one loca‐
16 tion to another.
17
18
19 Uses the system's trust policy to validate images, rejects images not
20 trusted by the policy.
21
22
23 source-image use the "image name" format described above
24
25
26 destination-image use the "image name" format described above
27
28
29 source-image and destination-image are interpreted completely indepen‐
30 dently; e.g. the destination name does not automatically inherit any
31 parts of the source name.
32
33
35 --all
36
37
38 If source-image refers to a list of images, instead of copying just the
39 image which matches the current OS and architecture (subject to the use
40 of the global --override-os, --override-arch and --override-variant
41 options), attempt to copy all of the images in the list, and the list
42 itself.
43
44
45 --authfile path
46
47
48 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
49 ers/auth.json, which is set using skopeo login. If the authorization
50 state is not found there, $HOME/.docker/config.json is checked, which
51 is set using docker login.
52
53
54 Note: You can also override the default path of the authentication file
55 by setting the REGISTRY_AUTH_FILE environment variable. export REG‐
56 ISTRY_AUTH_FILE=path
57
58
59 --src-authfile path
60
61
62 Path of the authentication file for the source registry. Uses path
63 given by --authfile, if not provided.
64
65
66 --dest-authfile path
67
68
69 Path of the authentication file for the destination registry. Uses path
70 given by --authfile, if not provided.
71
72
73 --format, -f manifest-type Manifest type (oci, v2s1, or v2s2) to use
74 when saving image to directory using the 'dir:' transport (default is
75 manifest type of source)
76
77
78 --quiet, -q suppress output information when copying images
79
80
81 --remove-signatures do not copy signatures, if any, from source-image.
82 Necessary when copying a signed image to a destination which does not
83 support signatures.
84
85
86 --sign-by=key-id add a signature using that key ID for an image name
87 corresponding to destination-image
88
89
90 --encryption-key protocol:keyfile specifies the encryption protocol,
91 which can be JWE (RFC7516), PGP (RFC4880), and PKCS7 (RFC2315) and the
92 key material required for image encryption. For instance,
93 jwe:/path/to/key.pem or pgp:admin@example.com or
94 pkcs7:/path/to/x509-file.
95
96
97 --decryption-key key[:passphrase] to be used for decryption of images.
98 Key can point to keys and/or certificates. Decryption will be tried
99 with all keys. If the key is protected by a passphrase, it is required
100 to be passed in the argument and omitted otherwise.
101
102
103 --src-creds username[:password] for accessing the source registry.
104
105
106 --dest-compress bool-value Compress tarball image layers when saving to
107 directory using the 'dir' transport. (default is same compression type
108 as source).
109
110
111 --dest-oci-accept-uncompressed-layers bool-value Allow uncompressed
112 image layers when saving to an OCI image using the 'oci' transport.
113 (default is to compress things that aren't compressed).
114
115
116 --dest-creds username[:password] for accessing the destination reg‐
117 istry.
118
119
120 --src-cert-dir path Use certificates at path (*.crt, *.cert, *.key) to
121 connect to the source registry or daemon.
122
123
124 --src-no-creds bool-value Access the registry anonymously.
125
126
127 --src-tls-verify bool-value Require HTTPS and verify certificates when
128 talking to container source registry or daemon (defaults to true).
129
130
131 --dest-cert-dir path Use certificates at path (*.crt, *.cert, *.key) to
132 connect to the destination registry or daemon.
133
134
135 --dest-no-creds bool-value Access the registry anonymously.
136
137
138 --dest-tls-verify bool-value Require HTTPS and verify certificates when
139 talking to container destination registry or daemon (defaults to true).
140
141
142 --src-daemon-host host Copy from docker daemon at host. If host starts
143 with tcp://, HTTPS is enabled by default. To use plain HTTP, use the
144 form http:// (default is unix:///var/run/docker.sock).
145
146
147 --dest-daemon-host host Copy to docker daemon at host. If host starts
148 with tcp://, HTTPS is enabled by default. To use plain HTTP, use the
149 form http:// (default is unix:///var/run/docker.sock).
150
151
152 Existing signatures, if any, are preserved as well.
153
154
155 --dest-compress-format format Specifies the compression format to use.
156 Supported values are: gzip and zstd.
157
158
159 --dest-compress-level format Specifies the compression level to use.
160 The value is specific to the compression algorithm used, e.g. for zstd
161 the accepted values are in the range 1-20 (inclusive), while for gzip
162 it is 1-9 (inclusive).
163
164
165 --src-registry-token Bearer token for accessing the source registry.
166
167
168 --dest-registry-token Bearer token for accessing the destination reg‐
169 istry.
170
171
173 To just copy an image from one registry to another:
174
175
176 $ skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest
177
178
179
180 To copy the layers of the docker.io busybox image to a local directory:
181
182
183 $ mkdir -p /var/lib/images/busybox
184 $ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
185 $ ls /var/lib/images/busybox/*
186 /tmp/busybox/2b8fd9751c4c0f5dd266fcae00707e67a2545ef34f9a29354585f93dac906749.tar
187 /tmp/busybox/manifest.json
188 /tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
189
190
191
192 To copy and sign an image:
193
194
195 # skopeo copy --sign-by dev@example.com containers-storage:example/busybox:streaming docker://example/busybox:gold
196
197
198
199 To encrypt an image:
200
201
202 skopeo copy docker://docker.io/library/nginx:1.17.8 oci:local_nginx:1.17.8
203
204 openssl genrsa -out private.key 1024
205 openssl rsa -in private.key -pubout > public.key
206
207 skopeo copy --encryption-key jwe:./public.key oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
208
209
210
211 To decrypt an image:
212
213
214 skopeo copy --decryption-key ./private.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
215
216
217
218 To copy encrypted image without decryption:
219
220
221 skopeo copy oci:try-encrypt:encrypted oci:try-encrypt-copy:encrypted
222
223
224
225 To decrypt an image that requires more than one key:
226
227
228 skopeo copy --decryption-key ./private1.key --decryption-key ./private2.key --decryption-key ./private3.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
229
230
231
232 Container images can also be partially encrypted by specifying the
233 index of the layer. Layers are 0-indexed indices, with support for neg‐
234 ative indexing. i.e. 0 is the first layer, -1 is the last layer.
235
236
237 Let's say out of 3 layers that the image docker.io/library/nginx:1.17.8
238 is made up of, we only want to encrypt the 2nd layer,
239
240
241 skopeo copy --encryption-key jwe:./public.key --encrypt-layer 1 oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
242
243
244
246 skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5),
247 containers-policy.json(5), containers-transports(5)
248
249
251 Antonio Murdaca runcom@redhat.com ⟨mailto:runcom@redhat.com⟩, Miloslav
252 Trmac mitr@redhat.com ⟨mailto:mitr@redhat.com⟩, Jhon Honce jhonce@red‐
253 hat.com ⟨mailto:jhonce@redhat.com⟩
254
255
256
257 skopeo-copy(1)()