1skopeo-sync(1)() skopeo-sync(1)()
2
6 skopeo-sync - Synchronize images between container registries and local
7 directories.
8
11 skopeo sync --src transport --dest transport source destination
12
15 Synchronize images between container registries and local directories.
16 The synchronization is achieved by copying all the images found at
17 source to destination.
18 Useful to synchronize a local container registry mirror, and to to pop‐
21 ulate registries running inside of air-gapped environments.
22 Differently from other skopeo commands, skopeo sync requires both
25 source and destination transports to be specified separately from
26 source and destination. One of the problems of prefixing a destination
27 with its transport is that, the registry docker://hostname:port would
28 be wrongly interpreted as an image reference at a non-fully qualified
29 registry, with hostname and port the image name and tag.
30 Available source transports:
33 - docker (i.e. --src docker): source is a repository hosted on a con‐
34 tainer registry (e.g.: registry.example.com/busybox).
35 If no image tag is specified, skopeo sync copies all the tags found in
36 that repository.
37 - dir (i.e. --src dir): source is a local directory path (e.g.: /me‐
38 dia/usb/). Refer to skopeo(1) dir:path for the local image format.
39 - yaml (i.e. --src yaml): source is local YAML file path.
40 The YAML file should specify the list of images copied from different
41 container registries (local directories are not supported). Refer to
42 EXAMPLES for the file format.
43 Available destination transports:
46 - docker (i.e. --dest docker): destination is a container registry
47 (e.g.: my-registry.local.lan).
48 - dir (i.e. --dest dir): destination is a local directory path (e.g.:
49 /media/usb/).
50 One directory per source 'image:tag' is created for each copied image.
51 When the --scoped option is specified, images are prefixed with the
54 source image path so that multiple images with the same name can be
55 stored at destination.
56
59 --all If one of the images in src refers to a list of images, instead
60 of copying just the image which matches the current OS and architecture
61 (subject to the use of the global --override-os, --override-arch and
62 --override-variant options), attempt to copy all of the images in the
63 list, and the list itself.
64 --authfile path
67 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
70 ers/auth.json, which is set using skopeo login. If the authorization
71 state is not found there, $HOME/.docker/config.json is checked, which
72 is set using docker login.
73 --src-authfile path
76 Path of the authentication file for the source registry. Uses path
79 given by --authfile, if not provided.
80 --dest-authfile path
83 Path of the authentication file for the destination registry. Uses path
86 given by --authfile, if not provided.
87 --src transport Transport for the source repository.
90 --dest transport Destination transport.
93 --format, -f manifest-type Manifest Type (oci, v2s1, or v2s2) to use
96 when syncing image(s) to a destination (default is manifest type of
97 source).
98 --scoped Prefix images with the source image path, so that multiple im‐
101 ages with the same name can be stored at destination.
102 --remove-signatures Do not copy signatures, if any, from source-image.
105 This is necessary when copying a signed image to a destination which
106 does not support signatures.
107 --sign-by=key-id Add a signature using that key ID for an image name
110 corresponding to destination-image.
111 --src-creds username[:password] for accessing the source registry.
114 --dest-creds username[:password] for accessing the destination reg‐
117 istry.
118 --src-cert-dir path Use certificates (*.crt, *.cert, *.key) at path to
121 connect to the source registry or daemon.
122 --src-no-creds bool-value Access the registry anonymously.
125 --src-tls-verify bool-value Require HTTPS and verify certificates when
128 talking to a container source registry or daemon (defaults to true).
129 --dest-cert-dir path Use certificates (*.crt, *.cert, *.key) at path to
132 connect to the destination registry or daemon.
133 --dest-no-creds bool-value Access the registry anonymously.
136 --dest-tls-verify bool-value Require HTTPS and verify certificates when
139 talking to a container destination registry or daemon (defaults to
140 true).
141 --src-registry-token Bearer token for accessing the source registry.
144 --dest-registry-token Bearer token for accessing the destination reg‐
147 istry.
148
151 Synchronizing to a local directory
152 $ skopeo sync --src docker --dest dir registry.example.com/busybox /media/usb
153 Images are located at:
157 /media/usb/busybox:1-glibc
160 /media/usb/busybox:1-musl
161 /media/usb/busybox:1-ubuntu
162 /media/usb/busybox:latest
163 Synchronizing to a container registry from local
167 Images are located at:
168 /media/usb/busybox:1-glibc
171 Sync run
175 $ skopeo sync --src dir --dest docker /media/usb/busybox:1-glibc my-registry.local.lan/test/
178 Destination registry content:
182 REPO TAGS
185 my-registry.local.lan/test/busybox 1-glibc
186 Synchronizing to a local directory, scoped
190 $ skopeo sync --src docker --dest dir --scoped registry.example.com/busybox /media/usb
191 Images are located at:
195 /media/usb/registry.example.com/busybox:1-glibc
198 /media/usb/registry.example.com/busybox:1-musl
199 /media/usb/registry.example.com/busybox:1-ubuntu
200 /media/usb/registry.example.com/busybox:latest
201 Synchronizing to a container registry
205 skopeo sync --src docker --dest docker registry.example.com/busybox my-registry.local.lan
206 Destination registry content:
210 REPO TAGS
213 registry.local.lan/busybox 1-glibc, 1-musl, 1-ubuntu, ..., latest
214 Synchronizing to a container registry keeping the repository
218 skopeo sync --src docker --dest docker registry.example.com/repo/busybox my-registry.local.lan/repo
219 Destination registry content:
223 REPO TAGS
226 registry.local.lan/repo/busybox 1-glibc, 1-musl, 1-ubuntu, ..., latest
227 YAML file content (used source for **--src yaml**)
231 registry.example.com:
232 images:
233 busybox: []
234 redis:
235 - "1.0"
236 - "2.0"
237 - "sha256:0000000000000000000000000000000011111111111111111111111111111111"
238 images-by-tag-regex:
239 nginx: ^1\.13\.[12]-alpine-perl$
240 credentials:
241 username: john
242 password: this is a secret
243 tls-verify: true
244 cert-dir: /home/john/certs
245 quay.io:
246 tls-verify: false
247 images:
248 coreos/etcd:
249 - latest
250 If the yaml filename is sync.yml, sync run:
254 skopeo sync --src yaml --dest docker sync.yml my-registry.local.lan/repo/
257 This will copy the following images: - Repository registry.exam‐
261 ple.com/busybox: all images, as no tags are specified. - Repository
262 registry.example.com/redis: images tagged "1.0" and "2.0" along with
263 image with digest
264 "sha256:0000000000000000000000000000000011111111111111111111111111111111".
265 - Repository registry.example.com/nginx: images tagged
266 "1.13.1-alpine-perl" and "1.13.2-alpine-perl". - Repository
267 quay.io/coreos/etcd: images tagged "latest".
268 For the registry registry.example.com, the "john"/"this is a secret"
271 credentials are used, with server TLS certificates located at
272 /home/john/certs.
273 TLS verification is normally enabled, and it can be disabled setting
276 tls-verify to false. In the above example, TLS verification is enabled
277 for registry.example.com, while is disabled for quay.io.
278
281 skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5),
282 containers-policy.json(5), containers-transports(5)
283
286 Flavio Castelli fcastelli@suse.com ⟨mailto:fcastelli@suse.com⟩, Marco
287 Vedovati mvedovati@suse.com ⟨mailto:mvedovati@suse.com⟩
288 skopeo-sync(1)()