1podman-pull(1)() podman-pull(1)()
2
6 podman-pull - Pull an image from a registry
7
10 podman pull [options] source
11 podman image pull [options] source
14 podman pull [options] [transport]name[:tag|@digest]
17 podman image pull [options] [transport]name[:tag|@digest]
20
23 Copies an image from a registry onto the local machine. The podman pull
24 command pulls an image. If the image reference in the command line ar‐
25 gument does not contain a registry, it is referred to as ashort-name
26 reference. If the image is a 'short-name' reference, Podman will prompt
27 the user for the specific container registry to pull the image from, if
28 an alias for the short-name has not been specified in the
29 short-name-aliases.conf. If an image tag is not specified, podman pull
30 defaults to the image with the latest tag (if it exists) and pulls it.
31 After the image is pulled, podman will print the full image ID. podman
32 pull can also pull an image using its digest podman pull image@digest.
33 podman pull can be used to pull images from archives and local storage
34 using different transports.
35
38 Images are stored in local image storage.
39
42 The SOURCE is the location from which the container images are pulled.
43 The Image "SOURCE" uses a "transport":"details" format. Only the
44 docker (container registry)
45 transport is allowed for remote access.
46 Multiple transports are supported:
49 dir:path
52 An existing local directory path storing the manifest, layer tarballs
53 and signatures as individual files. This
54 is a non-standardized format, primarily useful for debugging or non‐
55 invasive container inspection.
56 $ podman pull dir:/tmp/myimage
59 docker://docker-reference (Default)
63 An image reference stored in a remote container image registry. The
64 reference can include a path to a
65 specific registry; if it does not, the registries listed in reg‐
66 istries.conf will be queried to find a matching
67 image. By default, credentials from podman login (stored at $XDG_RUN‐
68 TIME_DIR/containers/auth.json by default)
69 will be used to authenticate; if these cannot be found, we will fall
70 back to using credentials in
71 $HOME/.docker/config.json.
72 $ podman pull quay.io/username/myimage
75 docker-archive:path[:docker-reference]
79 An image is stored in the docker save formatted file. docker-refer‐
80 ence is only used when creating such a
81 file, and it must not contain a digest.
82 $ podman pull docker-archive:/tmp/myimage
85 docker-daemon:docker-reference
89 An image in docker-reference format stored in the docker daemon in‐
90 ternal storage. The docker-reference can also be an image ID
91 (docker-daemon:algo:digest).
92 $ sudo podman pull docker-daemon:docker.io/library/myimage:33
95 oci-archive:path:tag
99 An image tag in a directory compliant with "Open Container Image Lay‐
100 out Specification" at path.
101 $ podman pull oci-archive:/tmp/myimage
104
108 --all-tags, a
109 All tagged images in the repository will be pulled.
110 Note: When using the all-tags flag, Podman will not iterate over the
113 search registries in the containers-registries.conf(5) but will always
114 use docker.io for unqualified image names.
115 --arch=ARCH
118 Override the architecture, defaults to hosts, of the image to be
119 pulled. For example, arm.
120 --authfile=path
123 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
124 ers/auth.json, which is set using podman login. If the authorization
125 state is not found there, $HOME/.docker/config.json is checked, which
126 is set using docker login.
127 Note: You can also override the default path of the authentication file
130 by setting the REGISTRY_AUTH_FILE environment variable. export REG‐
131 ISTRY_AUTH_FILE=path
132 --cert-dir=path
135 Use certificates at path (*.crt, *.cert, *.key) to connect to the reg‐
136 istry. Please refer to containers-certs.d(5) for details. (This option
137 is not available with the remote Podman client)
138 --creds=[username[:password]]
141 The [username[:password]] to use to authenticate with the registry if
142 required. If one or both values are not supplied, a command line
143 prompt will appear and the value can be entered. The password is en‐
144 tered without echo.
145 --disable-content-trust
148 This is a Docker specific option to disable image verification to a
149 Docker registry and is not supported by Podman. This flag is a NOOP
150 and provided solely for scripting compatibility.
151 --help, -h
154 Print usage statement
155 --os=OS
158 Override the OS, defaults to hosts, of the image to be pulled. For ex‐
159 ample, windows.
160 --platform=OS/ARCH
163 Specify the platform for selecting the image. (Conflicts with --arch
164 and --os) The --platform option can be used to override the current ar‐
165 chitecture and operating system.
166 --quiet, -q
169 Suppress output information when pulling images
170 --tls-verify=true|false
173 Require HTTPS and verify certificates when contacting registries (de‐
174 fault: true). If explicitly set to true, then TLS verification will be
175 used. If set to false, then TLS verification will not be used. If not
176 specified, TLS verification will be used unless the target registry is
177 listed as an insecure registry in registries.conf.
178 --variant=VARIANT
181 Use VARIANT instead of the default architecture variant of the con‐
182 tainer image. Some images can use multiple variants of the arm archi‐
183 tectures, such as arm/v5 and arm/v7.
184
187 $ podman pull alpine:latest
188 Trying to pull registry.access.redhat.com/alpine:latest... Failed
189 Trying to pull registry.fedoraproject.org/alpine:latest... Failed
190 Trying to pull docker.io/library/alpine:latest...Getting image source signatures
191 Copying blob sha256:88286f41530e93dffd4b964e1db22ce4939fffa4a4c665dab8591fbab03d4926
192 1.90 MB / 1.90 MB [========================================================] 0s
193 Copying config sha256:76da55c8019d7a47c347c0dceb7a6591144d232a7dd616242a367b8bed18ecbc
194 1.48 KB / 1.48 KB [========================================================] 0s
195 Writing manifest to image destination
196 Storing signatures
197 04660052281190168dbb2362eb15bf7067a8dc642d2498055e0e72efa961a4b6
198 $ podman pull alpine@sha256:d7342993700f8cd7aba8496c2d0e57be0666e80b4c441925fc6f9361fa81d10e
202 Trying to pull docker.io/library/alpine@sha256:d7342993700f8cd7aba8496c2d0e57be0666e80b4c441925fc6f9361fa81d10e...
203 Getting image source signatures
204 Copying blob 188c0c94c7c5 done
205 Copying config d6e46aa247 done
206 Writing manifest to image destination
207 Storing signatures
208 d6e46aa2470df1d32034c6707c8041158b652f38d2a9ae3d7ad7e7532d22ebe0
209 $ podman pull --authfile temp-auths/myauths.json docker://docker.io/umohnani/finaltest
213 Trying to pull docker.io/umohnani/finaltest:latest...Getting image source signatures
214 Copying blob sha256:6d987f6f42797d81a318c40d442369ba3dc124883a0964d40b0c8f4f7561d913
215 1.90 MB / 1.90 MB [========================================================] 0s
216 Copying config sha256:ad4686094d8f0186ec8249fc4917b71faa2c1030d7b5a025c29f26e19d95c156
217 1.41 KB / 1.41 KB [========================================================] 0s
218 Writing manifest to image destination
219 Storing signatures
220 03290064078cb797f3e0a530e78c20c13dd22a3dd3adf84a5da2127b48df0438
221 $ podman pull --creds testuser:testpassword docker.io/umohnani/finaltest
225 Trying to pull docker.io/umohnani/finaltest:latest...Getting image source signatures
226 Copying blob sha256:6d987f6f42797d81a318c40d442369ba3dc124883a0964d40b0c8f4f7561d913
227 1.90 MB / 1.90 MB [========================================================] 0s
228 Copying config sha256:ad4686094d8f0186ec8249fc4917b71faa2c1030d7b5a025c29f26e19d95c156
229 1.41 KB / 1.41 KB [========================================================] 0s
230 Writing manifest to image destination
231 Storing signatures
232 03290064078cb797f3e0a530e78c20c13dd22a3dd3adf84a5da2127b48df0438
233 $ podman pull --tls-verify=false --cert-dir image/certs docker.io/umohnani/finaltest
237 Trying to pull docker.io/umohnani/finaltest:latest...Getting image source signatures
238 Copying blob sha256:6d987f6f42797d81a318c40d442369ba3dc124883a0964d40b0c8f4f7561d913
239 1.90 MB / 1.90 MB [========================================================] 0s
240 Copying config sha256:ad4686094d8f0186ec8249fc4917b71faa2c1030d7b5a025c29f26e19d95c156
241 1.41 KB / 1.41 KB [========================================================] 0s
242 Writing manifest to image destination
243 Storing signatures
244 03290064078cb797f3e0a530e78c20c13dd22a3dd3adf84a5da2127b48df0438
245 $ podman pull --arch=arm arm32v7/debian:stretch
249 Trying to pull docker.io/arm32v7/debian:stretch...
250 Getting image source signatures
251 Copying blob b531ae4a3925 done
252 Copying config 3cba58dad5 done
253 Writing manifest to image destination
254 Storing signatures
255 3cba58dad5d9b35e755b48b634acb3fdd185ab1c996ac11510cc72c17780e13c
256
260 short-name-aliases.conf (/var/cache/containers/short-name-aliases.conf,
261 $HOME/.cache/containers/short-name-aliases.conf)
262 When users specify images that do not include the container registry
265 where the image is stored, this is called a short name. The use of un‐
266 qualified-search registries entails an ambiguity as it is unclear from
267 which registry a given image, referenced by a short name, may be pulled
268 from.
269 Using short names is subject to the risk of hitting squatted registry
272 namespaces. If the unqualified-search registries are set to ["pub‐
273 lic-registry.com", "my-private-registry.com"] an attacker may take
274 over a namespace of public-registry.com such that an image may be
275 pulled from public-registry.com instead of the intended source my-pri‐
276 vate-registry.com.
277 While it is highly recommended to always use fully-qualified image ref‐
280 erences, existing deployments using short names may not be easily
281 changed. To circumvent the aforementioned ambiguity, so called
282 short-name aliases can be configured that point to a fully-qualified
283 image reference. Distributions often ship a default shortnames.conf ex‐
284 pansion file in /etc/containers/registries.conf.d/ directory. Adminis‐
285 trators can use this directory to add their own local short-name expan‐
286 sion files.
287 When pulling an image, if the user does not specify the complete reg‐
290 istry, container engines attempt to expand the short-name into a full
291 name. If the command is executed with a tty, the user will be prompted
292 to select a registry from the default list unqualified registries de‐
293 fined in registries.conf. The user's selection is then stored in a
294 cache file to be used in all future short-name expansions. Rootfull
295 short-names are stored in /var/cache/contain‐
296 ers/short-name-aliases.conf. Rootless short-names are stored in the
297 $HOME/.cache/containers/short-name-aliases.conf file.
298 For more information on short-names, see containers-registries.conf(5)
301 registries.conf (/etc/containers/registries.conf)
304 registries.conf is the configuration file which specifies which con‐
307 tainer registries should be consulted when completing image names which
308 do not include a registry or domain portion.
309 NOTE: Use the environment variable TMPDIR to change the temporary stor‐
312 age location of downloaded container images. Podman defaults to use
313 /var/tmp.
314
317 podman(1), podman-push(1), podman-login(1), containers-certs.d(5), con‐
318 tainers-registries.conf(5)
319
322 July 2017, Originally compiled by Urvashi Mohnani umohnani@redhat.com
323 ⟨mailto:umohnani@redhat.com⟩
324 podman-pull(1)()