1skopeo-sync(1)() skopeo-sync(1)()
2
3
4
6 skopeo-sync - Synchronize images between container registries and local
7 directories.
8
9
11 skopeo sync --src transport --dest transport source destination
12
13
15 Synchronize images between container registries and local directories.
16 The synchronization is achieved by copying all the images found at
17 source to destination.
18
19
20 Useful to synchronize a local container registry mirror, and to to pop‐
21 ulate registries running inside of air-gapped environments.
22
23
24 Differently from other skopeo commands, skopeo sync requires both
25 source and destination transports to be specified separately from
26 source and destination. One of the problems of prefixing a destination
27 with its transport is that, the registry docker://hostname:port would
28 be wrongly interpreted as an image reference at a non-fully qualified
29 registry, with hostname and port the image name and tag.
30
31
32 Available source transports:
33 - docker (i.e. --src docker): source is a repository hosted on a con‐
34 tainer registry (e.g.: registry.example.com/busybox).
35 If no image tag is specified, skopeo sync copies all the tags found in
36 that repository.
37 - dir (i.e. --src dir): source is a local directory path (e.g.:
38 /media/usb/). Refer to skopeo(1) dir:path for the local image format.
39 - yaml (i.e. --src yaml): source is local YAML file path.
40 The YAML file should specify the list of images copied from different
41 container registries (local directories are not supported). Refer to
42 EXAMPLES for the file format.
43
44
45 Available destination transports:
46 - docker (i.e. --dest docker): destination is a container registry
47 (e.g.: my-registry.local.lan).
48 - dir (i.e. --dest dir): destination is a local directory path (e.g.:
49 /media/usb/).
50 One directory per source 'image:tag' is created for each copied image.
51
52
53 When the --scoped option is specified, images are prefixed with the
54 source image path so that multiple images with the same name can be
55 stored at destination.
56
57
59 --all If one of the images in src refers to a list of images, instead
60 of copying just the image which matches the current OS and architecture
61 (subject to the use of the global --override-os, --override-arch and
62 --override-variant options), attempt to copy all of the images in the
63 list, and the list itself.
64
65
66 --authfile path
67
68
69 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
70 ers/auth.json, which is set using skopeo login. If the authorization
71 state is not found there, $HOME/.docker/config.json is checked, which
72 is set using docker login.
73
74
75 --src-authfile path
76
77
78 Path of the authentication file for the source registry. Uses path
79 given by --authfile, if not provided.
80
81
82 --dest-authfile path
83
84
85 Path of the authentication file for the destination registry. Uses path
86 given by --authfile, if not provided.
87
88
89 --src transport Transport for the source repository.
90
91
92 --dest transport Destination transport.
93
94
95 --scoped Prefix images with the source image path, so that multiple
96 images with the same name can be stored at destination.
97
98
99 --remove-signatures Do not copy signatures, if any, from source-image.
100 This is necessary when copying a signed image to a destination which
101 does not support signatures.
102
103
104 --sign-by=key-id Add a signature using that key ID for an image name
105 corresponding to destination-image.
106
107
108 --src-creds username[:password] for accessing the source registry.
109
110
111 --dest-creds username[:password] for accessing the destination reg‐
112 istry.
113
114
115 --src-cert-dir path Use certificates (*.crt, *.cert, *.key) at path to
116 connect to the source registry or daemon.
117
118
119 --src-no-creds bool-value Access the registry anonymously.
120
121
122 --src-tls-verify bool-value Require HTTPS and verify certificates when
123 talking to a container source registry or daemon (defaults to true).
124
125
126 --dest-cert-dir path Use certificates (*.crt, *.cert, *.key) at path to
127 connect to the destination registry or daemon.
128
129
130 --dest-no-creds bool-value Access the registry anonymously.
131
132
133 --dest-tls-verify bool-value Require HTTPS and verify certificates when
134 talking to a container destination registry or daemon (defaults to
135 true).
136
137
138 --src-registry-token Bearer token for accessing the source registry.
139
140
141 --dest-registry-token Bearer token for accessing the destination reg‐
142 istry.
143
144
146 Synchronizing to a local directory
147 $ skopeo sync --src docker --dest dir registry.example.com/busybox /media/usb
148
149
150
151 Images are located at:
152
153
154 /media/usb/busybox:1-glibc
155 /media/usb/busybox:1-musl
156 /media/usb/busybox:1-ubuntu
157 /media/usb/busybox:latest
158
159
160
161 Synchronizing to a container registry from local
162 Images are located at:
163
164
165 /media/usb/busybox:1-glibc
166
167
168
169 Sync run
170
171
172 $ skopeo sync --src dir --dest docker /media/usb/busybox:1-glibc my-registry.local.lan/test/
173
174
175
176 Destination registry content:
177
178
179 REPO TAGS
180 my-registry.local.lan/test/busybox 1-glibc
181
182
183
184 Synchronizing to a local directory, scoped
185 $ skopeo sync --src docker --dest dir --scoped registry.example.com/busybox /media/usb
186
187
188
189 Images are located at:
190
191
192 /media/usb/registry.example.com/busybox:1-glibc
193 /media/usb/registry.example.com/busybox:1-musl
194 /media/usb/registry.example.com/busybox:1-ubuntu
195 /media/usb/registry.example.com/busybox:latest
196
197
198
199 Synchronizing to a container registry
200 skopeo sync --src docker --dest docker registry.example.com/busybox my-registry.local.lan
201
202
203
204 Destination registry content:
205
206
207 REPO TAGS
208 registry.local.lan/busybox 1-glibc, 1-musl, 1-ubuntu, ..., latest
209
210
211
212 Synchronizing to a container registry keeping the repository
213 skopeo sync --src docker --dest docker registry.example.com/repo/busybox my-registry.local.lan/repo
214
215
216
217 Destination registry content:
218
219
220 REPO TAGS
221 registry.local.lan/repo/busybox 1-glibc, 1-musl, 1-ubuntu, ..., latest
222
223
224
225 YAML file content (used source for **--src yaml**)
226 registry.example.com:
227 images:
228 busybox: []
229 redis:
230 - "1.0"
231 - "2.0"
232 - "sha256:0000000000000000000000000000000011111111111111111111111111111111"
233 images-by-tag-regex:
234 nginx: ^1\.13\.[12]-alpine-perl$
235 credentials:
236 username: john
237 password: this is a secret
238 tls-verify: true
239 cert-dir: /home/john/certs
240 quay.io:
241 tls-verify: false
242 images:
243 coreos/etcd:
244 - latest
245
246
247
248 If the yaml filename is sync.yml, sync run:
249
250
251 skopeo sync --src yaml --dest docker sync.yml my-registry.local.lan/repo/
252
253
254
255 This will copy the following images: - Repository registry.exam‐
256 ple.com/busybox: all images, as no tags are specified. - Repository
257 registry.example.com/redis: images tagged "1.0" and "2.0" along with
258 image with digest
259 "sha256:0000000000000000000000000000000011111111111111111111111111111111".
260 - Repository registry.example.com/nginx: images tagged
261 "1.13.1-alpine-perl" and "1.13.2-alpine-perl". - Repository
262 quay.io/coreos/etcd: images tagged "latest".
263
264
265 For the registry registry.example.com, the "john"/"this is a secret"
266 credentials are used, with server TLS certificates located at
267 /home/john/certs.
268
269
270 TLS verification is normally enabled, and it can be disabled setting
271 tls-verify to false. In the above example, TLS verification is enabled
272 for registry.example.com, while is disabled for quay.io.
273
274
276 skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5),
277 containers-policy.json(5), containers-transports(5)
278
279
281 Flavio Castelli fcastelli@suse.com ⟨mailto:fcastelli@suse.com⟩, Marco
282 Vedovati mvedovati@suse.com ⟨mailto:mvedovati@suse.com⟩
283
284
285
286 skopeo-sync(1)()