1skopeo-copy(1)() skopeo-copy(1)()
2
6 skopeo-copy - Copy an image (manifest, filesystem layers, signatures)
7 from one location to another.
8
11 skopeo copy [--sign-by=key-ID] source-image destination-image
12
15 Copy an image (manifest, filesystem layers, signatures) from one loca‐
16 tion to another.
17 Uses the system's trust policy to validate images, rejects images not
20 trusted by the policy.
21 source-image use the "image name" format described above
24 destination-image use the "image name" format described above
27 source-image and destination-image are interpreted completely indepen‐
30 dently; e.g. the destination name does not automatically inherit any
31 parts of the source name.
32
35 --all
36 If source-image refers to a list of images, instead of copying just the
39 image which matches the current OS and architecture (subject to the use
40 of the global --override-os, --override-arch and --override-variant op‐
41 tions), attempt to copy all of the images in the list, and the list it‐
42 self.
43 --authfile path
46 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
49 ers/auth.json, which is set using skopeo login. If the authorization
50 state is not found there, $HOME/.docker/config.json is checked, which
51 is set using docker login.
52 Note: You can also override the default path of the authentication file
55 by setting the REGISTRY_AUTH_FILE environment variable. export REG‐
56 ISTRY_AUTH_FILE=path
57 --src-authfile path
60 Path of the authentication file for the source registry. Uses path
63 given by --authfile, if not provided.
64 --dest-authfile path
67 Path of the authentication file for the destination registry. Uses path
70 given by --authfile, if not provided.
71 --digestfile path
74 After copying the image, write the digest of the resulting image to the
77 file.
78 --format, -f manifest-type Manifest type (oci, v2s1, or v2s2) to use
81 when saving image to directory using the 'dir:' transport (default is
82 manifest type of source)
83 --quiet, -q suppress output information when copying images
86 --remove-signatures do not copy signatures, if any, from source-image.
89 Necessary when copying a signed image to a destination which does not
90 support signatures.
91 --sign-by=key-id add a signature using that key ID for an image name
94 corresponding to destination-image
95 --encryption-key protocol:keyfile specifies the encryption protocol,
98 which can be JWE (RFC7516), PGP (RFC4880), and PKCS7 (RFC2315) and the
99 key material required for image encryption. For instance,
100 jwe:/path/to/key.pem or pgp:admin@example.com or
101 pkcs7:/path/to/x509-file.
102 --decryption-key key[:passphrase] to be used for decryption of images.
105 Key can point to keys and/or certificates. Decryption will be tried
106 with all keys. If the key is protected by a passphrase, it is required
107 to be passed in the argument and omitted otherwise.
108 --src-creds username[:password] for accessing the source registry.
111 --dest-compress bool-value Compress tarball image layers when saving to
114 directory using the 'dir' transport. (default is same compression type
115 as source).
116 --dest-oci-accept-uncompressed-layers bool-value Allow uncompressed im‐
119 age layers when saving to an OCI image using the 'oci' transport. (de‐
120 fault is to compress things that aren't compressed).
121 --dest-creds username[:password] for accessing the destination reg‐
124 istry.
125 --src-cert-dir path Use certificates at path (*.crt, *.cert, *.key) to
128 connect to the source registry or daemon.
129 --src-no-creds bool-value Access the registry anonymously.
132 --src-tls-verify bool-value Require HTTPS and verify certificates when
135 talking to container source registry or daemon (defaults to true).
136 --dest-cert-dir path Use certificates at path (*.crt, *.cert, *.key) to
139 connect to the destination registry or daemon.
140 --dest-no-creds bool-value Access the registry anonymously.
143 --dest-tls-verify bool-value Require HTTPS and verify certificates when
146 talking to container destination registry or daemon (defaults to true).
147 --src-daemon-host host Copy from docker daemon at host. If host starts
150 with tcp://, HTTPS is enabled by default. To use plain HTTP, use the
151 form http:// (default is unix:///var/run/docker.sock).
152 --dest-daemon-host host Copy to docker daemon at host. If host starts
155 with tcp://, HTTPS is enabled by default. To use plain HTTP, use the
156 form http:// (default is unix:///var/run/docker.sock).
157 Existing signatures, if any, are preserved as well.
160 --dest-compress-format format Specifies the compression format to use.
163 Supported values are: gzip and zstd.
164 --dest-compress-level format Specifies the compression level to use.
167 The value is specific to the compression algorithm used, e.g. for zstd
168 the accepted values are in the range 1-20 (inclusive), while for gzip
169 it is 1-9 (inclusive).
170 --src-registry-token Bearer token for accessing the source registry.
173 --dest-registry-token Bearer token for accessing the destination reg‐
176 istry.
177
180 To just copy an image from one registry to another:
181 $ skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest
184 To copy the layers of the docker.io busybox image to a local directory:
188 $ mkdir -p /var/lib/images/busybox
191 $ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
192 $ ls /var/lib/images/busybox/*
193 /tmp/busybox/2b8fd9751c4c0f5dd266fcae00707e67a2545ef34f9a29354585f93dac906749.tar
194 /tmp/busybox/manifest.json
195 /tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
196 To copy and sign an image:
200 # skopeo copy --sign-by dev@example.com containers-storage:example/busybox:streaming docker://example/busybox:gold
203 To encrypt an image:
207 skopeo copy docker://docker.io/library/nginx:1.17.8 oci:local_nginx:1.17.8
210 openssl genrsa -out private.key 1024
212 openssl rsa -in private.key -pubout > public.key
213 skopeo copy --encryption-key jwe:./public.key oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
215 To decrypt an image:
219 skopeo copy --decryption-key ./private.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
222 To copy encrypted image without decryption:
226 skopeo copy oci:try-encrypt:encrypted oci:try-encrypt-copy:encrypted
229 To decrypt an image that requires more than one key:
233 skopeo copy --decryption-key ./private1.key --decryption-key ./private2.key --decryption-key ./private3.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
236 Container images can also be partially encrypted by specifying the in‐
240 dex of the layer. Layers are 0-indexed indices, with support for nega‐
241 tive indexing. i.e. 0 is the first layer, -1 is the last layer.
242 Let's say out of 3 layers that the image docker.io/library/nginx:1.17.8
245 is made up of, we only want to encrypt the 2nd layer,
246 skopeo copy --encryption-key jwe:./public.key --encrypt-layer 1 oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
249
253 skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5),
254 containers-policy.json(5), containers-transports(5)
255
258 Antonio Murdaca runcom@redhat.com ⟨mailto:runcom@redhat.com⟩, Miloslav
259 Trmac mitr@redhat.com ⟨mailto:mitr@redhat.com⟩, Jhon Honce jhonce@red‐
260 hat.com ⟨mailto:jhonce@redhat.com⟩
261 skopeo-copy(1)()