1skopeo-copy(1)()                                              skopeo-copy(1)()
2
3
4

NAME

6       skopeo-copy  -  Copy an image (manifest, filesystem layers, signatures)
7       from one location to another.
8
9

SYNOPSIS

11       skopeo copy [--sign-by=key-ID] source-image destination-image
12
13

DESCRIPTION

15       Copy an image (manifest, filesystem layers, signatures) from one  loca‐
16       tion to another.
17
18
19       Uses  the  system's trust policy to validate images, rejects images not
20       trusted by the policy.
21
22
23       source-image use the "image name" format described above
24
25
26       destination-image use the "image name" format described above
27
28
29       source-image and destination-image are interpreted completely  indepen‐
30       dently;  e.g.  the  destination name does not automatically inherit any
31       parts of the source name.
32
33

OPTIONS

35       --all
36
37
38       If source-image refers to a list of images, instead of copying just the
39       image which matches the current OS and architecture (subject to the use
40       of the global --override-os, --override-arch and --override-variant op‐
41       tions), attempt to copy all of the images in the list, and the list it‐
42       self.
43
44
45       --authfile path
46
47
48       Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
49       ers/auth.json,  which  is set using skopeo login.  If the authorization
50       state is not found there, $HOME/.docker/config.json is  checked,  which
51       is set using docker login.
52
53
54       Note: You can also override the default path of the authentication file
55       by setting the REGISTRY_AUTH_FILE  environment  variable.  export  REG‐
56       ISTRY_AUTH_FILE=path
57
58
59       --src-authfile path
60
61
62       Path  of  the  authentication  file  for the source registry. Uses path
63       given by --authfile, if not provided.
64
65
66       --dest-authfile path
67
68
69       Path of the authentication file for the destination registry. Uses path
70       given by --authfile, if not provided.
71
72
73       --digestfile path
74
75
76       After copying the image, write the digest of the resulting image to the
77       file.
78
79
80       --format, -f manifest-type Manifest type (oci, v2s1, or  v2s2)  to  use
81       when  saving  image to directory using the 'dir:' transport (default is
82       manifest type of source)
83
84
85       --quiet, -q suppress output information when copying images
86
87
88       --remove-signatures do not copy signatures, if any, from  source-image.
89       Necessary  when  copying a signed image to a destination which does not
90       support signatures.
91
92
93       --sign-by=key-id add a signature using that key ID for  an  image  name
94       corresponding to destination-image
95
96
97       --encryption-key  protocol:keyfile  specifies  the encryption protocol,
98       which can be JWE (RFC7516), PGP (RFC4880), and PKCS7 (RFC2315) and  the
99       key   material   required   for   image   encryption.   For   instance,
100       jwe:/path/to/key.pem        or         pgp:admin@example.com         or
101       pkcs7:/path/to/x509-file.
102
103
104       --decryption-key  key[:passphrase] to be used for decryption of images.
105       Key can point to keys and/or certificates.  Decryption  will  be  tried
106       with  all keys. If the key is protected by a passphrase, it is required
107       to be passed in the argument and omitted otherwise.
108
109
110       --src-creds username[:password] for accessing the source registry.
111
112
113       --dest-compress bool-value Compress tarball image layers when saving to
114       directory  using the 'dir' transport. (default is same compression type
115       as source).
116
117
118       --dest-oci-accept-uncompressed-layers bool-value Allow uncompressed im‐
119       age  layers when saving to an OCI image using the 'oci' transport. (de‐
120       fault is to compress things that aren't compressed).
121
122
123       --dest-creds username[:password] for  accessing  the  destination  reg‐
124       istry.
125
126
127       --src-cert-dir  path Use certificates at path (*.crt, *.cert, *.key) to
128       connect to the source registry or daemon.
129
130
131       --src-no-creds bool-value Access the registry anonymously.
132
133
134       --src-tls-verify bool-value Require HTTPS and verify certificates  when
135       talking to container source registry or daemon (defaults to true).
136
137
138       --dest-cert-dir path Use certificates at path (*.crt, *.cert, *.key) to
139       connect to the destination registry or daemon.
140
141
142       --dest-no-creds bool-value  Access the registry anonymously.
143
144
145       --dest-tls-verify bool-value Require HTTPS and verify certificates when
146       talking to container destination registry or daemon (defaults to true).
147
148
149       --src-daemon-host  host Copy from docker daemon at host. If host starts
150       with tcp://, HTTPS is enabled by default. To use plain  HTTP,  use  the
151       form http:// (default is unix:///var/run/docker.sock).
152
153
154       --dest-daemon-host  host  Copy to docker daemon at host. If host starts
155       with tcp://, HTTPS is enabled by default. To use plain  HTTP,  use  the
156       form http:// (default is unix:///var/run/docker.sock).
157
158
159       Existing signatures, if any, are preserved as well.
160
161
162       --dest-compress-format  format Specifies the compression format to use.
163       Supported values are: gzip and zstd.
164
165
166       --dest-compress-level format Specifies the compression  level  to  use.
167       The  value is specific to the compression algorithm used, e.g. for zstd
168       the accepted values are in the range 1-20 (inclusive), while  for  gzip
169       it is 1-9 (inclusive).
170
171
172       --src-registry-token Bearer token for accessing the source registry.
173
174
175       --dest-registry-token  Bearer  token for accessing the destination reg‐
176       istry.
177
178

EXAMPLES

180       To just copy an image from one registry to another:
181
182
183              $ skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest
184
185
186
187       To copy the layers of the docker.io busybox image to a local directory:
188
189
190              $ mkdir -p /var/lib/images/busybox
191              $ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
192              $ ls /var/lib/images/busybox/*
193                /tmp/busybox/2b8fd9751c4c0f5dd266fcae00707e67a2545ef34f9a29354585f93dac906749.tar
194                /tmp/busybox/manifest.json
195                /tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
196
197
198
199       To copy and sign an image:
200
201
202              # skopeo copy --sign-by dev@example.com containers-storage:example/busybox:streaming docker://example/busybox:gold
203
204
205
206       To encrypt an image:
207
208
209              skopeo copy docker://docker.io/library/nginx:1.17.8 oci:local_nginx:1.17.8
210
211              openssl genrsa -out private.key 1024
212              openssl rsa -in private.key -pubout > public.key
213
214              skopeo  copy --encryption-key jwe:./public.key oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
215
216
217
218       To decrypt an image:
219
220
221              skopeo copy --decryption-key ./private.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
222
223
224
225       To copy encrypted image without decryption:
226
227
228              skopeo copy oci:try-encrypt:encrypted oci:try-encrypt-copy:encrypted
229
230
231
232       To decrypt an image that requires more than one key:
233
234
235              skopeo copy --decryption-key ./private1.key --decryption-key ./private2.key --decryption-key ./private3.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
236
237
238
239       Container images can also be partially encrypted by specifying the  in‐
240       dex  of the layer. Layers are 0-indexed indices, with support for nega‐
241       tive indexing. i.e. 0 is the first layer, -1 is the last layer.
242
243
244       Let's say out of 3 layers that the image docker.io/library/nginx:1.17.8
245       is made up of, we only want to encrypt the 2nd layer,
246
247
248              skopeo  copy --encryption-key jwe:./public.key --encrypt-layer 1 oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
249
250
251

SEE ALSO

253       skopeo(1),  skopeo-login(1),  docker-login(1), containers-auth.json(5),
254       containers-policy.json(5), containers-transports(5)
255
256

AUTHORS

258       Antonio Murdaca runcom@redhat.com ⟨mailto:runcom@redhat.com⟩,  Miloslav
259       Trmac  mitr@redhat.com ⟨mailto:mitr@redhat.com⟩, Jhon Honce jhonce@red‐
260       hat.com ⟨mailto:jhonce@redhat.com⟩
261
262
263
264                                                              skopeo-copy(1)()
Impressum