1skopeo-sync(1)()                                              skopeo-sync(1)()
2
3
4

NAME

6       skopeo-sync - Synchronize images between container registries and local
7       directories.
8
9

SYNOPSIS

11       skopeo sync [options] --src transport --dest transport source  destina‐
12       tion
13
14

DESCRIPTION

16       Synchronize  images between container registries and local directories.
17       The synchronization is achieved by copying  all  the  images  found  at
18       source to destination.
19
20
21       Useful to synchronize a local container registry mirror, and to to pop‐
22       ulate registries running inside of air-gapped environments.
23
24
25       Differently from other  skopeo  commands,  skopeo  sync  requires  both
26       source  and  destination  transports  to  be  specified separately from
27       source and destination.  One of the problems of prefixing a destination
28       with  its  transport is that, the registry docker://hostname:port would
29       be wrongly interpreted as an image reference at a  non-fully  qualified
30       registry, with hostname and port the image name and tag.
31
32
33       Available source transports:
34        -  docker (i.e. --src docker): source is a repository hosted on a con‐
35       tainer registry (e.g.: registry.example.com/busybox).
36        If no image tag is specified, skopeo sync copies all the tags found in
37       that repository.
38        -  dir  (i.e. --src dir): source is a local directory path (e.g.: /me‐
39       dia/usb/). Refer to skopeo(1) dir:path for the local image format.
40        - yaml (i.e. --src yaml): source is local YAML file path.
41        The YAML file should specify the list of images copied from  different
42       container  registries  (local  directories are not supported). Refer to
43       EXAMPLES for the file format.
44
45
46       Available destination transports:
47        - docker (i.e. --dest docker): destination  is  a  container  registry
48       (e.g.: my-registry.local.lan).
49        -  dir (i.e. --dest dir): destination is a local directory path (e.g.:
50       /media/usb/).
51        One directory per source 'image:tag' is created for each copied image.
52
53
54       When the --scoped option is specified, images  are  prefixed  with  the
55       source  image  path  so  that multiple images with the same name can be
56       stored at destination.
57
58

OPTIONS

60       --all, -a If one of the images in src refers to a list of  images,  in‐
61       stead of copying just the image which matches the current OS and archi‐
62       tecture (subject to the use of the  global  --override-os,  --override-
63       arch and --override-variant options), attempt to copy all of the images
64       in the list, and the list itself.
65
66
67       --authfile path
68
69
70       Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
71       ers/auth.json,  which  is set using skopeo login.  If the authorization
72       state is not found there, $HOME/.docker/config.json is  checked,  which
73       is set using docker login.
74
75
76       --src-authfile path
77
78
79       Path  of  the  authentication  file  for the source registry. Uses path
80       given by --authfile, if not provided.
81
82
83       --dest-authfile path
84
85
86       Path of the authentication file for the destination registry. Uses path
87       given by --authfile, if not provided.
88
89
90       --src, -s transport Transport for the source repository.
91
92
93       --dest, -d transport Destination transport.
94
95
96       --format,  -f  manifest-type  Manifest Type (oci, v2s1, or v2s2) to use
97       when syncing image(s) to a destination (default  is  manifest  type  of
98       source, with fallbacks).
99
100
101       --help, -h
102
103
104       Print usage statement.
105
106
107       --scoped Prefix images with the source image path, so that multiple im‐
108       ages with the same name can be stored at destination.
109
110
111       --remove-signatures Do not copy signatures, if any, from  source-image.
112       This  is  necessary  when copying a signed image to a destination which
113       does not support signatures.
114
115
116       --sign-by=key-id Add a signature using that key ID for  an  image  name
117       corresponding to destination-image.
118
119
120       --src-creds username[:password] for accessing the source registry.
121
122
123       --dest-creds  username[:password]  for  accessing  the destination reg‐
124       istry.
125
126
127       --src-cert-dir path Use certificates (*.crt, *.cert, *.key) at path  to
128       connect to the source registry or daemon.
129
130
131       --src-no-creds bool-value Access the registry anonymously.
132
133
134       --src-tls-verify  bool-value Require HTTPS and verify certificates when
135       talking to a container source registry or  daemon.  Default  to  source
136       registry entry in registry.conf setting.
137
138
139       --dest-cert-dir path Use certificates (*.crt, *.cert, *.key) at path to
140       connect to the destination registry or daemon.
141
142
143       --dest-no-creds bool-value  Access the registry anonymously.
144
145
146       --dest-tls-verify bool-value Require HTTPS and verify certificates when
147       talking  to a container destination registry or daemon. Default to des‐
148       tination registry entry in registry.conf setting.
149
150
151       --src-registry-token Bearer token for accessing the source registry.
152
153
154       --dest-registry-token Bearer token for accessing the  destination  reg‐
155       istry.
156
157
158       --retry-times   the  number  of times to retry, retry wait time will be
159       exponentially increased based on the number of failed attempts.
160
161
162       --keep-going If any errors occur during copying of images, those errors
163       are logged and the process continues syncing rest of the images and fi‐
164       nally fails at the end.
165
166
167       --src-username
168
169
170       The username to access the source registry.
171
172
173       --src-password
174
175
176       The password to access the source registry.
177
178
179       --dest-username
180
181
182       The username to access the destination registry.
183
184
185       --dest-password
186
187
188       The password to access the destination registry.
189
190

EXAMPLES

192   Synchronizing to a local directory
193              $ skopeo sync --src docker --dest dir registry.example.com/busybox /media/usb
194
195
196
197       Images are located at:
198
199
200              /media/usb/busybox:1-glibc
201              /media/usb/busybox:1-musl
202              /media/usb/busybox:1-ubuntu
203              /media/usb/busybox:latest
204
205
206
207   Synchronizing to a container registry from local
208       Images are located at:
209
210
211              /media/usb/busybox:1-glibc
212
213
214
215       Sync run
216
217
218              $ skopeo sync --src dir --dest docker /media/usb/busybox:1-glibc my-registry.local.lan/test/
219
220
221
222       Destination registry content:
223
224
225              REPO                                 TAGS
226              my-registry.local.lan/test/busybox   1-glibc
227
228
229
230   Synchronizing to a local directory, scoped
231              $ skopeo sync --src docker --dest dir --scoped registry.example.com/busybox /media/usb
232
233
234
235       Images are located at:
236
237
238              /media/usb/registry.example.com/busybox:1-glibc
239              /media/usb/registry.example.com/busybox:1-musl
240              /media/usb/registry.example.com/busybox:1-ubuntu
241              /media/usb/registry.example.com/busybox:latest
242
243
244
245   Synchronizing to a container registry
246              skopeo sync --src docker --dest docker registry.example.com/busybox my-registry.local.lan
247
248
249
250       Destination registry content:
251
252
253              REPO                         TAGS
254              registry.local.lan/busybox   1-glibc, 1-musl, 1-ubuntu, ..., latest
255
256
257
258   Synchronizing to a container registry keeping the repository
259              skopeo sync --src docker --dest docker registry.example.com/repo/busybox my-registry.local.lan/repo
260
261
262
263       Destination registry content:
264
265
266              REPO                              TAGS
267              registry.local.lan/repo/busybox   1-glibc, 1-musl, 1-ubuntu, ..., latest
268
269
270
271   YAML file content (used source for **--src yaml**)
272              registry.example.com:
273                  images:
274                      busybox: []
275                      redis:
276                          - "1.0"
277                          - "2.0"
278                          - "sha256:0000000000000000000000000000000011111111111111111111111111111111"
279                  images-by-tag-regex:
280                      nginx: ^1\.13\.[12]-alpine-perl$
281                  credentials:
282                      username: john
283                      password: this is a secret
284                  tls-verify: true
285                  cert-dir: /home/john/certs
286              quay.io:
287                  tls-verify: false
288                  images:
289                      coreos/etcd:
290                          - latest
291
292
293
294       If the yaml filename is sync.yml, sync run:
295
296
297              skopeo sync --src yaml --dest docker sync.yml my-registry.local.lan/repo/
298
299
300
301       This will  copy  the  following  images:  -  Repository  registry.exam‐
302       ple.com/busybox:  all  images,  as no tags are specified.  - Repository
303       registry.example.com/redis: images tagged "1.0" and  "2.0"  along  with
304       image                            with                            digest
305       "sha256:0000000000000000000000000000000011111111111111111111111111111111".
306       -  Repository registry.example.com/nginx: images tagged "1.13.1-alpine-
307       perl" and "1.13.2-alpine-perl".  - Repository quay.io/coreos/etcd:  im‐
308       ages tagged "latest".
309
310
311       For  the  registry  registry.example.com, the "john"/"this is a secret"
312       credentials  are  used,  with  server  TLS  certificates   located   at
313       /home/john/certs.
314
315
316       TLS  verification  is  normally enabled, and it can be disabled setting
317       tls-verify to false.  In the above example, TLS verification is enabled
318       for registry.example.com, while is disabled for quay.io.
319
320

SEE ALSO

322       skopeo(1),  skopeo-login(1),  docker-login(1), containers-auth.json(5),
323       containers-policy.json(5), containers-transports(5)
324
325

AUTHORS

327       Flavio Castelli fcastelli@suse.com  ⟨mailto:fcastelli@suse.com⟩,  Marco
328       Vedovati mvedovati@suse.com ⟨mailto:mvedovati@suse.com⟩
329
330
331
332                                                              skopeo-sync(1)()
Impressum