buildah-push(1)

1buildah-push(1)             General Commands Manual            buildah-push(1)
2
3
4

NAME

6       buildah-push  -  Push an image, manifest list or image index from local
7       storage to elsewhere.
8
9

SYNOPSIS

11       buildah push [options] image [destination]
12
13

DESCRIPTION

15       Pushes an image from local storage to a specified  destination,  decom‐
16       pressing and recompessing layers as needed.
17
18

imageID

20       Image stored in local container/storage
21
22

DESTINATION

24       The  DESTINATION  is  a location to store container images. If omitted,
25       the source image parameter will be reused as destination.
26
27
28       The Image "DESTINATION" uses a "transport":"details"  format.  Multiple
29       transports are supported:
30
31
32       dir:path
33         An existing local directory path storing the manifest, layer tarballs
34       and signatures as individual files. This is a non-standardized  format,
35       primarily useful for debugging or noninvasive container inspection.
36
37
38       docker://docker-reference
39         An  image  in  a  registry implementing the "Docker Registry HTTP API
40       V2".  By  default,  uses  the   authorization   state   in   $XDG\_RUN‐
41       TIME\_DIR/containers/auth.json,  which is set using (buildah login). If
42       the authorization state is not found  there,  $HOME/.docker/config.json
43       is checked, which is set using (docker login).
44         If  docker-reference does not include a registry name, the image will
45       be pushed to a registry running on localhost.
46
47
48       docker-archive:path[:docker-reference]
49         An image is stored in the docker save formatted file.   docker-refer‐
50       ence  is only used when creating such a file, and it must not contain a
51       digest.
52
53
54       docker-daemon:docker-reference
55         An image _dockerreference stored in the docker daemon internal  stor‐
56       age.  If  _dockerreference does not begin with a valid registry name (a
57       domain name containing "." or the reserved name "localhost")  then  the
58       default  registry  name "docker.io" will be prepended. _dockerreference
59       must contain either a tag or a digest. Alternatively, when reading  im‐
60       ages, the format can also be docker-daemon:algo:digest (an image ID).
61
62
63       oci:path:tag
64         An image tag in a directory compliant with "Open Container Image Lay‐
65       out Specification" at path.
66
67
68       oci-archive:path:tag
69         An image tag in a tar archive compliant with  "Open  Container  Image
70       Layout Specification" at path.
71
72
73       If  the  transport  part  of DESTINATION is omitted, "docker://" is as‐
74       sumed.
75
76

OPTIONS

78       --all
79
80
81       If specified image is a manifest list or image index, push  the  images
82       in addition to the list or index itself.
83
84
85       --authfile path
86
87
88       Path  of  the  authentication file. Default is ${XDG_\RUNTIME_DIR}/con‐
89       tainers/auth.json. If  XDG_RUNTIME_DIR  is  not  set,  the  default  is
90       /run/containers/$UID/auth.json.  This file is created using using buil‐
91       dah login.
92
93
94       If the authorization  state  is  not  found  there,  $HOME/.docker/con‐
95       fig.json is checked, which is set using docker login.
96
97
98       Note: You can also override the default path of the authentication file
99       by setting the REGISTRY_AUTH_FILE  environment  variable.  export  REG‐
100       ISTRY_AUTH_FILE=path
101
102
103       --cert-dir path
104
105
106       Use  certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
107       istry.  The default certificates directory is /etc/containers/certs.d.
108
109
110       --creds creds
111
112
113       The [username[:password]] to use to authenticate with the  registry  if
114       required.   If  one  or  both  values  are not supplied, a command line
115       prompt will appear and the value can be entered.  The password  is  en‐
116       tered without echo.
117
118
119       --digestfile Digestfile
120
121
122       After copying the image, write the digest of the resulting image to the
123       file.
124
125
126       --disable-compression, -D
127
128
129       Don't compress copies of filesystem layers which will be pushed.
130
131
132       --encryption-key key
133
134
135       The [protocol:keyfile] specifies the encryption protocol, which can  be
136       JWE  (RFC7516), PGP (RFC4880), and PKCS7 (RFC2315) and the key material
137       required for image encryption. For  instance,  jwe:/path/to/key.pem  or
138       pgp:admin@example.com or pkcs7:/path/to/x509-file.
139
140
141       --encrypt-layer layer(s)
142
143
144       Layer(s)  to encrypt: 0-indexed layer indices with support for negative
145       indexing (e.g. 0 is the first layer, -1 is the last layer). If not  de‐
146       fined, will encrypt all layers if encryption-key flag is specified.
147
148
149       --format, -f
150
151
152       Manifest  Type  (oci, v2s2, or v2s1) to use when pushing an image. (de‐
153       fault is manifest type of the source image)
154
155
156       --quiet, -q
157
158
159       When writing the output image, suppress progress output.
160
161
162       --remove-signatures
163
164
165       Don't copy signatures when pushing images.
166
167
168       --rm
169
170
171       When pushing a the manifest list or image index, delete them from local
172       storage if pushing succeeds.
173
174
175       --sign-by fingerprint
176
177
178       Sign the pushed image using the GPG key that matches the specified fin‐
179       gerprint.
180
181
182       --tls-verify bool-value
183
184
185       Require HTTPS and verification of certificates  when  talking  to  con‐
186       tainer  registries (defaults to true).  TLS verification cannot be used
187       when talking to an insecure registry.
188
189

EXAMPLE

191       This example pushes the image specified by the imageID to a  local  di‐
192       rectory in docker format.
193
194
195       # buildah push imageID dir:/path/to/image
196
197
198       This  example  pushes the image specified by the imageID to a local di‐
199       rectory in oci format.
200
201
202       # buildah push imageID oci:/path/to/layout:image:tag
203
204
205       This example pushes the image specified by the imageID to a tar archive
206       in oci format.
207
208
209       # buildah push imageID oci-archive:/path/to/archive:image:tag
210
211
212       This  example  pushes the image specified by the imageID to a container
213       registry named registry.example.com.
214
215
216       # buildah push imageID docker://registry.example.com/repository:tag
217
218
219       This example pushes the image specified by the imageID to  a  container
220       registry  named registry.example.com and saves the digest in the speci‐
221       fied digestfile.
222
223
224       # buildah push --digestfile=/tmp/mydigest imageID docker://registry.ex‐
225       ample.com/repository:tag
226
227
228       This   example   works   like   docker  push,  assuming  registry.exam‐
229       ple.com/my_image is a local image.
230
231
232       # buildah push registry.example.com/my_image
233
234
235       This example pushes the image specified by the  imageID  to  a  private
236       container  registry named registry.example.com with authentication from
237       /tmp/auths/myauths.json.
238
239
240       # buildah push --authfile /tmp/auths/myauths.json imageID docker://reg‐
241       istry.example.com/repository:tag
242
243
244       This  example  pushes  the image specified by the imageID and puts into
245       the local docker container store.
246
247
248       # buildah push imageID docker-daemon:image:tag
249
250
251       This example pushes the image specified by the imageID and puts it into
252       the registry on the localhost while turning off tls verification.
253        #    buildah    push    --tls-verify=false   imageID   docker://local‐
254       host:5000/my-imageID
255
256
257       This example pushes the image specified by the imageID and puts it into
258       the  registry  on  the localhost using credentials and certificates for
259       authentication.
260        #  buildah  push  --cert-dir  ~/auth  --tls-verify=true  --creds=user‐
261       name:password imageID docker://localhost:5000/my-imageID
262
263

ENVIRONMENT

265       BUILD_REGISTRY_SOURCES
266
267
268       BUILD_REGISTRY_SOURCES,  if set, is treated as a JSON object which con‐
269       tains lists  of  registry  names  under  the  keys  insecureRegistries,
270       blockedRegistries, and allowedRegistries.
271
272
273       When  pushing an image to a registry, if the portion of the destination
274       image name that corresponds to a registry is compared to the  items  in
275       the blockedRegistries list, and if it matches any of them, the push at‐
276       tempt is denied.  If there  are  registries  in  the  allowedRegistries
277       list,  and  the portion of the name that corresponds to the registry is
278       not in the list, the push attempt is denied.
279
280
281       TMPDIR The TMPDIR environment variable allows the user to specify where
282       temporary  files are stored while pulling and pushing images.  Defaults
283       to '/var/tmp'.
284
285

FILES

287       registries.conf (/etc/containers/registries.conf)
288
289
290       registries.conf is the configuration file which  specifies  which  con‐
291       tainer registries should be consulted when completing image names which
292       do not include a registry or domain portion.
293
294
295       policy.json (/etc/containers/policy.json)
296
297
298       Signature policy file.  This defines the trust policy for container im‐
299       ages.   Controls  which container registries can be used for image, and
300       whether or not the tool should trust the images.
301
302