1skopeo-copy(1)() skopeo-copy(1)()
2
6 skopeo-copy - Copy an image (manifest, filesystem layers, signatures)
7 from one location to another.
8
11 skopeo copy [options] source-image destination-image
12
15 Copy an image (manifest, filesystem layers, signatures) from one loca‐
16 tion to another.
17 Uses the system's trust policy to validate images, rejects images not
20 trusted by the policy.
21 source-image use the "image name" format described above
24 destination-image use the "image name" format described above
27 source-image and destination-image are interpreted completely indepen‐
30 dently; e.g. the destination name does not automatically inherit any
31 parts of the source name.
32
35 --additional-tag=strings
36 Additional tags (supports docker-archive).
39 --all, -a
42 If source-image refers to a list of images, instead of copying just the
45 image which matches the current OS and architecture (subject to the use
46 of the global --override-os, --override-arch and --override-variant op‐
47 tions), attempt to copy all of the images in the list, and the list it‐
48 self.
49 --authfile path
52 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
55 ers/auth.json, which is set using skopeo login. If the authorization
56 state is not found there, $HOME/.docker/config.json is checked, which
57 is set using docker login.
58 Note: You can also override the default path of the authentication file
61 by setting the REGISTRY_AUTH_FILE environment variable. export REG‐
62 ISTRY_AUTH_FILE=path
63 --src-authfile path
66 Path of the authentication file for the source registry. Uses path
69 given by --authfile, if not provided.
70 --dest-authfile path
73 Path of the authentication file for the destination registry. Uses path
76 given by --authfile, if not provided.
77 --dest-shared-blob-dir directory
80 Directory to use to share blobs across OCI repositories.
83 --digestfile path
86 After copying the image, write the digest of the resulting image to the
89 file.
90 --preserve-digests
93 Preserve the digests during copying. Fail if the digest cannot be pre‐
96 served.
97 --encrypt-layer ints
100 Experimental the 0-indexed layer indices, with support for negative in‐
103 dexing (e.g. 0 is the first layer, -1 is the last layer)
104 --format, -f manifest-type
107 MANIFEST TYPE (oci, v2s1, or v2s2) to use in the destination (default
110 is manifest type of source, with fallbacks)
111 --help, -h
114 Print usage statement
117 --multi-arch option
120 Control what is copied if source-image refers to a multi-architecture
123 image. Default is system.
124 Options: - system: Copy only the image that matches the system archi‐
127 tecture - all: Copy the full multi-architecture image - index-only:
128 Copy only the index
129 The index-only option usually fails unless the referenced per-architec‐
132 ture images are already present in the destination, or the target reg‐
133 istry supports sparse indexes.
134 --quiet, -q
137 Suppress output information when copying images.
140 --remove-signatures
143 Do not copy signatures, if any, from source-image. Necessary when copy‐
146 ing a signed image to a destination which does not support signatures.
147 --sign-by key-id
150 Add a signature using that key ID for an image name corresponding to
153 destination-image
154 --sign-passphrase-file path
157 The passphare to use when signing with the key ID from --sign-by. Only
160 the first line will be read. A passphrase stored in a file is of ques‐
161 tionable security if other users can read this file. Do not use this
162 option if at all avoidable.
163 --sign-identity reference
166 The identity to use when signing the image. The identity must be a
169 fully specified docker reference. If the identity is not specified, the
170 target docker reference will be used.
171 --src-shared-blob-dir directory
174 Directory to use to share blobs across OCI repositories.
177 --encryption-key protocol:keyfile
180 Specifies the encryption protocol, which can be JWE (RFC7516), PGP
183 (RFC4880), and PKCS7 (RFC2315) and the key material required for image
184 encryption. For instance, jwe:/path/to/key.pem or pgp:admin@example.com
185 or pkcs7:/path/to/x509-file.
186 --decryption-key key[:passphrase]
189 Key to be used for decryption of images. Key can point to keys and/or
192 certificates. Decryption will be tried with all keys. If the key is
193 protected by a passphrase, it is required to be passed in the argument
194 and omitted otherwise.
195 --src-creds username[:password]
198 Credentials for accessing the source registry.
201 --dest-compress
204 Compress tarball image layers when saving to directory using the 'dir'
207 transport. (default is same compression type as source).
208 --dest-decompress
211 Decompress tarball image layers when saving to directory using the
214 'dir' transport. (default is same compression type as source).
215 --dest-oci-accept-uncompressed-layers
218 Allow uncompressed image layers when saving to an OCI image using the
221 'oci' transport. (default is to compress things that aren't com‐
222 pressed).
223 --dest-creds username[:password]
226 Credentials for accessing the destination registry.
229 --src-cert-dir path
232 Use certificates at path (*.crt, *.cert, *.key) to connect to the
235 source registry or daemon.
236 --src-no-creds
239 Access the registry anonymously.
242 --src-tls-verify=bool
245 Require HTTPS and verify certificates when talking to container source
248 registry or daemon. Default to source registry setting.
249 --dest-cert-dir path
252 Use certificates at path (*.crt, *.cert, *.key) to connect to the des‐
255 tination registry or daemon.
256 --dest-no-creds
259 Access the registry anonymously.
262 --dest-tls-verify=bool
265 Require HTTPS and verify certificates when talking to container desti‐
268 nation registry or daemon. Default to destination registry setting.
269 --src-daemon-host host
272 Copy from docker daemon at host. If host starts with tcp://, HTTPS is
275 enabled by default. To use plain HTTP, use the form http:// (default is
276 unix:///var/run/docker.sock).
277 --dest-daemon-host host
280 Copy to docker daemon at host. If host starts with tcp://, HTTPS is en‐
283 abled by default. To use plain HTTP, use the form http:// (default is
284 unix:///var/run/docker.sock).
285 Existing signatures, if any, are preserved as well.
288 --dest-compress-format format
291 Specifies the compression format to use. Supported values are: gzip
294 and zstd.
295 --dest-compress-level format
298 Specifies the compression level to use. The value is specific to the
301 compression algorithm used, e.g. for zstd the accepted values are in
302 the range 1-20 (inclusive), while for gzip it is 1-9 (inclusive).
303 --src-registry-token token
306 Bearer token for accessing the source registry.
309 --dest-registry-token token
312 Bearer token for accessing the destination registry.
315 --dest-precompute-digests
318 Precompute digests to ensure layers are not uploaded that already exist
321 on the destination registry. Layers with initially unknown digests (ex.
322 compressing "on the fly") will be temporarily streamed to disk.
323 --retry-times
326 The number of times to retry. Retry wait time will be exponentially in‐
329 creased based on the number of failed attempts.
330 --src-username
333 The username to access the source registry.
336 --src-password
339 The password to access the source registry.
342 --dest-username
345 The username to access the destination registry.
348 --dest-password
351 The password to access the destination registry.
354
357 To just copy an image from one registry to another:
358 $ skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest
361 To copy the layers of the docker.io busybox image to a local directory:
365 $ mkdir -p /var/lib/images/busybox
368 $ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
369 $ ls /var/lib/images/busybox/*
370 /tmp/busybox/2b8fd9751c4c0f5dd266fcae00707e67a2545ef34f9a29354585f93dac906749.tar
371 /tmp/busybox/manifest.json
372 /tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
373 To copy and sign an image:
377 # skopeo copy --sign-by dev@example.com containers-storage:example/busybox:streaming docker://example/busybox:gold
380 To encrypt an image:
384 skopeo copy docker://docker.io/library/nginx:1.17.8 oci:local_nginx:1.17.8
387 openssl genrsa -out private.key 1024
389 openssl rsa -in private.key -pubout > public.key
390 skopeo copy --encryption-key jwe:./public.key oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
392 To decrypt an image:
396 skopeo copy --decryption-key ./private.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
399 To copy encrypted image without decryption:
403 skopeo copy oci:try-encrypt:encrypted oci:try-encrypt-copy:encrypted
406 To decrypt an image that requires more than one key:
410 skopeo copy --decryption-key ./private1.key --decryption-key ./private2.key --decryption-key ./private3.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
413 Container images can also be partially encrypted by specifying the in‐
417 dex of the layer. Layers are 0-indexed indices, with support for nega‐
418 tive indexing. i.e. 0 is the first layer, -1 is the last layer.
419 Let's say out of 3 layers that the image docker.io/library/nginx:1.17.8
422 is made up of, we only want to encrypt the 2nd layer,
423 skopeo copy --encryption-key jwe:./public.key --encrypt-layer 1 oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
426
430 skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5),
431 containers-policy.json(5), containers-transports(5), containers-signa‐
432 ture(5)
433
436 Antonio Murdaca runcom@redhat.com ⟨mailto:runcom@redhat.com⟩, Miloslav
437 Trmac mitr@redhat.com ⟨mailto:mitr@redhat.com⟩, Jhon Honce jhonce@red‐
438 hat.com ⟨mailto:jhonce@redhat.com⟩
439 skopeo-copy(1)()