1skopeo-copy(1)() skopeo-copy(1)()
2
6 skopeo-copy - Copy an image (manifest, filesystem layers, signatures)
7 from one location to another.
8
11 skopeo copy [options] source-image destination-image
12
15 Copy an image (manifest, filesystem layers, signatures) from one loca‐
16 tion to another.
17 Uses the system's trust policy to validate images, rejects images not
20 trusted by the policy.
21 source-image use the "image name" format described above
24 destination-image use the "image name" format described above
27 source-image and destination-image are interpreted completely indepen‐
30 dently; e.g. the destination name does not automatically inherit any
31 parts of the source name.
32
35 --additional-tag=strings
36 Additional tags (supports docker-archive).
39 --all, -a
42 If source-image refers to a list of images, instead of copying just the
45 image which matches the current OS and architecture (subject to the use
46 of the global --override-os, --override-arch and --override-variant op‐
47 tions), attempt to copy all of the images in the list, and the list it‐
48 self.
49 --authfile path
52 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
55 ers/auth.json, which is set using skopeo login. If the authorization
56 state is not found there, $HOME/.docker/config.json is checked, which
57 is set using docker login.
58 Note: You can also override the default path of the authentication file
61 by setting the REGISTRY_AUTH_FILE environment variable. export REG‐
62 ISTRY_AUTH_FILE=path
63 --src-authfile path
66 Path of the authentication file for the source registry. Uses path
69 given by --authfile, if not provided.
70 --dest-authfile path
73 Path of the authentication file for the destination registry. Uses path
76 given by --authfile, if not provided.
77 --dest-shared-blob-dir directory
80 Directory to use to share blobs across OCI repositories.
83 --digestfile path
86 After copying the image, write the digest of the resulting image to the
89 file.
90 --encrypt-layer ints
93 Experimental the 0-indexed layer indices, with support for negative in‐
96 dexing (e.g. 0 is the first layer, -1 is the last layer)
97 --format, -f manifest-type
100 MANIFEST TYPE (oci, v2s1, or v2s2) to use in the destination (default
103 is manifest type of source, with fallbacks)
104 --help, -h
107 Print usage statement
110 --quiet, -q
113 Suppress output information when copying images.
116 --remove-signatures
119 Do not copy signatures, if any, from source-image. Necessary when copy‐
122 ing a signed image to a destination which does not support signatures.
123 --sign-by=key-id
126 Add a signature using that key ID for an image name corresponding to
129 destination-image
130 --src-shared-blob-dir directory
133 Directory to use to share blobs across OCI repositories.
136 --encryption-key protocol:keyfile
139 Specifies the encryption protocol, which can be JWE (RFC7516), PGP
142 (RFC4880), and PKCS7 (RFC2315) and the key material required for image
143 encryption. For instance, jwe:/path/to/key.pem or pgp:admin@example.com
144 or pkcs7:/path/to/x509-file.
145 --decryption-key key[:passphrase]
148 Key to be used for decryption of images. Key can point to keys and/or
151 certificates. Decryption will be tried with all keys. If the key is
152 protected by a passphrase, it is required to be passed in the argument
153 and omitted otherwise.
154 --src-creds username[:password]
157 Credentials for accessing the source registry.
160 --dest-compress bool-value
163 Compress tarball image layers when saving to directory using the 'dir'
166 transport. (default is same compression type as source).
167 --dest-decompress bool-value
170 Decompress tarball image layers when saving to directory using the
173 'dir' transport. (default is same compression type as source).
174 --dest-oci-accept-uncompressed-layers bool-value
177 Allow uncompressed image layers when saving to an OCI image using the
180 'oci' transport. (default is to compress things that aren't com‐
181 pressed).
182 --dest-creds username[:password]
185 Credentials for accessing the destination registry.
188 --src-cert-dir path
191 Use certificates at path (*.crt, *.cert, *.key) to connect to the
194 source registry or daemon.
195 --src-no-creds bool-value
198 Access the registry anonymously.
201 --src-tls-verify bool-value
204 Require HTTPS and verify certificates when talking to container source
207 registry or daemon. Default to source registry setting.
208 --dest-cert-dir path
211 Use certificates at path (*.crt, *.cert, *.key) to connect to the des‐
214 tination registry or daemon.
215 --dest-no-creds bool-value
218 Access the registry anonymously.
221 --dest-tls-verify bool-value
224 Require HTTPS and verify certificates when talking to container desti‐
227 nation registry or daemon. Default to destination registry setting.
228 --src-daemon-host host
231 Copy from docker daemon at host. If host starts with tcp://, HTTPS is
234 enabled by default. To use plain HTTP, use the form http:// (default is
235 unix:///var/run/docker.sock).
236 --dest-daemon-host host
239 Copy to docker daemon at host. If host starts with tcp://, HTTPS is en‐
242 abled by default. To use plain HTTP, use the form http:// (default is
243 unix:///var/run/docker.sock).
244 Existing signatures, if any, are preserved as well.
247 --dest-compress-format format
250 Specifies the compression format to use. Supported values are: gzip
253 and zstd.
254 --dest-compress-level format
257 Specifies the compression level to use. The value is specific to the
260 compression algorithm used, e.g. for zstd the accepted values are in
261 the range 1-20 (inclusive), while for gzip it is 1-9 (inclusive).
262 --src-registry-token token
265 Bearer token for accessing the source registry.
268 --dest-registry-token token
271 Bearer token for accessing the destination registry.
274 --dest-precompute-digests bool-value
277 Precompute digests to ensure layers are not uploaded that already exist
280 on the destination registry. Layers with initially unknown digests (ex.
281 compressing "on the fly") will be temporarily streamed to disk.
282 --retry-times
285 The number of times to retry. Retry wait time will be exponentially in‐
288 creased based on the number of failed attempts.
289 --src-username
292 The username to access the source registry.
295 --src-password
298 The password to access the source registry.
301 --dest-username
304 The username to access the destination registry.
307 --dest-password
310 The password to access the destination registry.
313
316 To just copy an image from one registry to another:
317 $ skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest
320 To copy the layers of the docker.io busybox image to a local directory:
324 $ mkdir -p /var/lib/images/busybox
327 $ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
328 $ ls /var/lib/images/busybox/*
329 /tmp/busybox/2b8fd9751c4c0f5dd266fcae00707e67a2545ef34f9a29354585f93dac906749.tar
330 /tmp/busybox/manifest.json
331 /tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
332 To copy and sign an image:
336 # skopeo copy --sign-by dev@example.com containers-storage:example/busybox:streaming docker://example/busybox:gold
339 To encrypt an image:
343 skopeo copy docker://docker.io/library/nginx:1.17.8 oci:local_nginx:1.17.8
346 openssl genrsa -out private.key 1024
348 openssl rsa -in private.key -pubout > public.key
349 skopeo copy --encryption-key jwe:./public.key oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
351 To decrypt an image:
355 skopeo copy --decryption-key ./private.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
358 To copy encrypted image without decryption:
362 skopeo copy oci:try-encrypt:encrypted oci:try-encrypt-copy:encrypted
365 To decrypt an image that requires more than one key:
369 skopeo copy --decryption-key ./private1.key --decryption-key ./private2.key --decryption-key ./private3.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
372 Container images can also be partially encrypted by specifying the in‐
376 dex of the layer. Layers are 0-indexed indices, with support for nega‐
377 tive indexing. i.e. 0 is the first layer, -1 is the last layer.
378 Let's say out of 3 layers that the image docker.io/library/nginx:1.17.8
381 is made up of, we only want to encrypt the 2nd layer,
382 skopeo copy --encryption-key jwe:./public.key --encrypt-layer 1 oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
385
389 skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5),
390 containers-policy.json(5), containers-transports(5), containers-signa‐
391 ture(5)
392
395 Antonio Murdaca runcom@redhat.com ⟨mailto:runcom@redhat.com⟩, Miloslav
396 Trmac mitr@redhat.com ⟨mailto:mitr@redhat.com⟩, Jhon Honce jhonce@red‐
397 hat.com ⟨mailto:jhonce@redhat.com⟩
398 skopeo-copy(1)()