1skopeo-sync(1)()                                              skopeo-sync(1)()
2
3
4

NAME

6       skopeo-sync - Synchronize images between container registries and local
7       directories.
8
9

SYNOPSIS

11       skopeo sync [options] --src transport --dest transport source  destina‐
12       tion
13
14

DESCRIPTION

16       Synchronize  images between container registries and local directories.
17       The synchronization is achieved by copying  all  the  images  found  at
18       source to destination.
19
20
21       Useful to synchronize a local container registry mirror, and to to pop‐
22       ulate registries running inside of air-gapped environments.
23
24
25       Differently from other  skopeo  commands,  skopeo  sync  requires  both
26       source  and  destination  transports  to  be  specified separately from
27       source and destination.  One of the problems of prefixing a destination
28       with  its  transport is that, the registry docker://hostname:port would
29       be wrongly interpreted as an image reference at a  non-fully  qualified
30       registry, with hostname and port the image name and tag.
31
32
33       Available source transports:
34        -  docker (i.e. --src docker): source is a repository hosted on a con‐
35       tainer registry (e.g.: registry.example.com/busybox).
36        If no image tag is specified, skopeo sync copies all the tags found in
37       that repository.
38        -  dir  (i.e. --src dir): source is a local directory path (e.g.: /me‐
39       dia/usb/). Refer to skopeo(1) dir:path for the local image format.
40        - yaml (i.e. --src yaml): source is local YAML file path.
41        The YAML file should specify the list of images copied from  different
42       container  registries  (local  directories are not supported). Refer to
43       EXAMPLES for the file format.
44
45
46       Available destination transports:
47        - docker (i.e. --dest docker): destination  is  a  container  registry
48       (e.g.: my-registry.local.lan).
49        -  dir (i.e. --dest dir): destination is a local directory path (e.g.:
50       /media/usb/).
51        One directory per source 'image:tag' is created for each copied image.
52
53
54       When the --scoped option is specified, images  are  prefixed  with  the
55       source  image  path  so  that multiple images with the same name can be
56       stored at destination.
57
58

OPTIONS

60       --all, -a If one of the images in src refers to a list of  images,  in‐
61       stead of copying just the image which matches the current OS and archi‐
62       tecture (subject to the use of the  global  --override-os,  --override-
63       arch and --override-variant options), attempt to copy all of the images
64       in the list, and the list itself.
65
66
67       --authfile path
68
69
70       Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
71       ers/auth.json,  which  is set using skopeo login.  If the authorization
72       state is not found there, $HOME/.docker/config.json is  checked,  which
73       is set using docker login.
74
75
76       --src-authfile path
77
78
79       Path  of  the  authentication  file  for the source registry. Uses path
80       given by --authfile, if not provided.
81
82
83       --dest-authfile path
84
85
86       Path of the authentication file for the destination registry. Uses path
87       given by --authfile, if not provided.
88
89
90       --dry-run
91
92
93       Run the sync without actually copying data to the destination.
94
95
96       --src, -s transport Transport for the source repository.
97
98
99       --dest, -d transport Destination transport.
100
101
102       --format,  -f  manifest-type  Manifest Type (oci, v2s1, or v2s2) to use
103       when syncing image(s) to a destination (default  is  manifest  type  of
104       source, with fallbacks).
105
106
107       --help, -h
108
109
110       Print usage statement.
111
112
113       --scoped Prefix images with the source image path, so that multiple im‐
114       ages with the same name can be stored at destination.
115
116
117       --preserve-digests Preserve the digests during copying. Fail if the di‐
118       gest cannot be preserved.
119
120
121       --remove-signatures  Do not copy signatures, if any, from source-image.
122       This is necessary when copying a signed image to  a  destination  which
123       does not support signatures.
124
125
126       --sign-by=key-id  Add  a  signature using that key ID for an image name
127       corresponding to destination-image.
128
129
130       --sign-passphrase-file=path The passphare to use when signing with  the
131       key  ID  from --sign-by. Only the first line will be read. A passphrase
132       stored in a file is of questionable security if other  users  can  read
133       this file. Do not use this option if at all avoidable.
134
135
136       --src-creds username[:password] for accessing the source registry.
137
138
139       --dest-creds  username[:password]  for  accessing  the destination reg‐
140       istry.
141
142
143       --src-cert-dir path Use certificates (*.crt, *.cert, *.key) at path  to
144       connect to the source registry or daemon.
145
146
147       --src-no-creds Access the registry anonymously.
148
149
150       --src-tls-verify=bool  Require HTTPS and verify certificates when talk‐
151       ing to a container source registry or daemon. Default  to  source  reg‐
152       istry entry in registry.conf setting.
153
154
155       --dest-cert-dir path Use certificates (*.crt, *.cert, *.key) at path to
156       connect to the destination registry or daemon.
157
158
159       --dest-no-creds Access the registry anonymously.
160
161
162       --dest-tls-verify=bool Require HTTPS and verify certificates when talk‐
163       ing  to a container destination registry or daemon. Default to destina‐
164       tion registry entry in registry.conf setting.
165
166
167       --src-registry-token Bearer token for accessing the source registry.
168
169
170       --dest-registry-token Bearer token for accessing the  destination  reg‐
171       istry.
172
173
174       --retry-times   the  number  of times to retry, retry wait time will be
175       exponentially increased based on the number of failed attempts.
176
177
178       --keep-going If any errors occur during copying of images, those errors
179       are logged and the process continues syncing rest of the images and fi‐
180       nally fails at the end.
181
182
183       --src-username
184
185
186       The username to access the source registry.
187
188
189       --src-password
190
191
192       The password to access the source registry.
193
194
195       --dest-username
196
197
198       The username to access the destination registry.
199
200
201       --dest-password
202
203
204       The password to access the destination registry.
205
206

EXAMPLES

208   Synchronizing to a local directory
209              $ skopeo sync --src docker --dest dir registry.example.com/busybox /media/usb
210
211
212
213       Images are located at:
214
215
216              /media/usb/busybox:1-glibc
217              /media/usb/busybox:1-musl
218              /media/usb/busybox:1-ubuntu
219              /media/usb/busybox:latest
220
221
222
223   Synchronizing to a container registry from local
224       Images are located at:
225
226
227              /media/usb/busybox:1-glibc
228
229
230
231       Sync run
232
233
234              $ skopeo sync --src dir --dest docker /media/usb/busybox:1-glibc my-registry.local.lan/test/
235
236
237
238       Destination registry content:
239
240
241              REPO                                 TAGS
242              my-registry.local.lan/test/busybox   1-glibc
243
244
245
246   Synchronizing to a local directory, scoped
247              $ skopeo sync --src docker --dest dir --scoped registry.example.com/busybox /media/usb
248
249
250
251       Images are located at:
252
253
254              /media/usb/registry.example.com/busybox:1-glibc
255              /media/usb/registry.example.com/busybox:1-musl
256              /media/usb/registry.example.com/busybox:1-ubuntu
257              /media/usb/registry.example.com/busybox:latest
258
259
260
261   Synchronizing to a container registry
262              skopeo sync --src docker --dest docker registry.example.com/busybox my-registry.local.lan
263
264
265
266       Destination registry content:
267
268
269              REPO                         TAGS
270              registry.local.lan/busybox   1-glibc, 1-musl, 1-ubuntu, ..., latest
271
272
273
274   Synchronizing to a container registry keeping the repository
275              skopeo sync --src docker --dest docker registry.example.com/repo/busybox my-registry.local.lan/repo
276
277
278
279       Destination registry content:
280
281
282              REPO                              TAGS
283              registry.local.lan/repo/busybox   1-glibc, 1-musl, 1-ubuntu, ..., latest
284
285
286
287   YAML file content (used source for **--src yaml**)
288              registry.example.com:
289                  images:
290                      busybox: []
291                      redis:
292                          - "1.0"
293                          - "2.0"
294                          - "sha256:0000000000000000000000000000000011111111111111111111111111111111"
295                  images-by-tag-regex:
296                      nginx: ^1\.13\.[12]-alpine-perl$
297                  credentials:
298                      username: john
299                      password: this is a secret
300                  tls-verify: true
301                  cert-dir: /home/john/certs
302              quay.io:
303                  tls-verify: false
304                  images:
305                      coreos/etcd:
306                          - latest
307
308
309
310       If the yaml filename is sync.yml, sync run:
311
312
313              skopeo sync --src yaml --dest docker sync.yml my-registry.local.lan/repo/
314
315
316
317       This will  copy  the  following  images:  -  Repository  registry.exam‐
318       ple.com/busybox:  all  images,  as no tags are specified.  - Repository
319       registry.example.com/redis: images tagged "1.0" and  "2.0"  along  with
320       image                            with                            digest
321       "sha256:0000000000000000000000000000000011111111111111111111111111111111".
322       -  Repository registry.example.com/nginx: images tagged "1.13.1-alpine-
323       perl" and "1.13.2-alpine-perl".  - Repository quay.io/coreos/etcd:  im‐
324       ages tagged "latest".
325
326
327       For  the  registry  registry.example.com, the "john"/"this is a secret"
328       credentials  are  used,  with  server  TLS  certificates   located   at
329       /home/john/certs.
330
331
332       TLS  verification  is  normally enabled, and it can be disabled setting
333       tls-verify to false.  In the above example, TLS verification is enabled
334       for registry.example.com, while is disabled for quay.io.
335
336

SEE ALSO

338       skopeo(1),  skopeo-login(1),  docker-login(1), containers-auth.json(5),
339       containers-policy.json(5), containers-transports(5)
340
341

AUTHORS

343       Flavio Castelli fcastelli@suse.com  ⟨mailto:fcastelli@suse.com⟩,  Marco
344       Vedovati mvedovati@suse.com ⟨mailto:mvedovati@suse.com⟩
345
346
347
348                                                              skopeo-sync(1)()
Impressum