1skopeo-copy(1)() skopeo-copy(1)()
2
6 skopeo-copy - Copy an image (manifest, filesystem layers, signatures)
7 from one location to another.
8
11 skopeo copy [options] source-image destination-image
12
15 Copy an image (manifest, filesystem layers, signatures) from one loca‐
16 tion to another.
17 Uses the system's trust policy to validate images, rejects images not
20 trusted by the policy.
21 source-image use the "image name" format described above
24 destination-image use the "image name" format described above
27 source-image and destination-image are interpreted completely indepen‐
30 dently; e.g. the destination name does not automatically inherit any
31 parts of the source name.
32
35 --additional-tag=strings
36 Additional tags (supports docker-archive).
39 --all, -a
42 If source-image refers to a list of images, instead of copying just the
45 image which matches the current OS and architecture (subject to the use
46 of the global --override-os, --override-arch and --override-variant op‐
47 tions), attempt to copy all of the images in the list, and the list it‐
48 self.
49 --authfile path
52 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
55 ers/auth.json, which is set using skopeo login. If the authorization
56 state is not found there, $HOME/.docker/config.json is checked, which
57 is set using docker login.
58 Note: You can also override the default path of the authentication file
61 by setting the REGISTRY_AUTH_FILE environment variable. export REG‐
62 ISTRY_AUTH_FILE=path
63 --src-authfile path
66 Path of the authentication file for the source registry. Uses path
69 given by --authfile, if not provided.
70 --dest-authfile path
73 Path of the authentication file for the destination registry. Uses path
76 given by --authfile, if not provided.
77 --dest-shared-blob-dir directory
80 Directory to use to share blobs across OCI repositories.
83 --digestfile path
86 After copying the image, write the digest of the resulting image to the
89 file.
90 --preserve-digests
93 Preserve the digests during copying. Fail if the digest cannot be pre‐
96 served. Consider using --all at the same time.
97 --encrypt-layer ints
100 Experimental the 0-indexed layer indices, with support for negative in‐
103 dexing (e.g. 0 is the first layer, -1 is the last layer)
104 --format, -f manifest-type
107 MANIFEST TYPE (oci, v2s1, or v2s2) to use in the destination (default
110 is manifest type of source, with fallbacks)
111 --help, -h
114 Print usage statement
117 --multi-arch option
120 Control what is copied if source-image refers to a multi-architecture
123 image. Default is system.
124 Options: - system: Copy only the image that matches the system archi‐
127 tecture - all: Copy the full multi-architecture image - index-only:
128 Copy only the index
129 The index-only option usually fails unless the referenced per-architec‐
132 ture images are already present in the destination, or the target reg‐
133 istry supports sparse indexes.
134 --quiet, -q
137 Suppress output information when copying images.
140 --remove-signatures
143 Do not copy signatures, if any, from source-image. Necessary when copy‐
146 ing a signed image to a destination which does not support signatures.
147 --sign-by key-id
150 Add a “simple signing” signature using that key ID for an image name
153 corresponding to destination-image
154 --sign-by-sigstore-private-key path
157 Add a sigstore signature using a private key at path for an image name
160 corresponding to destination-image
161 --sign-passphrase-file path
164 The passphare to use when signing with --sign-by or --sign-by-sigstore-
167 private-key. Only the first line will be read. A passphrase stored in a
168 file is of questionable security if other users can read this file. Do
169 not use this option if at all avoidable.
170 --sign-identity reference
173 The identity to use when signing the image. The identity must be a
176 fully specified docker reference. If the identity is not specified, the
177 target docker reference will be used.
178 --src-shared-blob-dir directory
181 Directory to use to share blobs across OCI repositories.
184 --encryption-key protocol:keyfile
187 Specifies the encryption protocol, which can be JWE (RFC7516), PGP
190 (RFC4880), and PKCS7 (RFC2315) and the key material required for image
191 encryption. For instance, jwe:/path/to/key.pem or pgp:admin@example.com
192 or pkcs7:/path/to/x509-file.
193 --decryption-key key[:passphrase]
196 Key to be used for decryption of images. Key can point to keys and/or
199 certificates. Decryption will be tried with all keys. If the key is
200 protected by a passphrase, it is required to be passed in the argument
201 and omitted otherwise.
202 --src-creds username[:password]
205 Credentials for accessing the source registry.
208 --dest-compress
211 Compress tarball image layers when saving to directory using the 'dir'
214 transport. (default is same compression type as source).
215 --dest-decompress
218 Decompress tarball image layers when saving to directory using the
221 'dir' transport. (default is same compression type as source).
222 --dest-oci-accept-uncompressed-layers
225 Allow uncompressed image layers when saving to an OCI image using the
228 'oci' transport. (default is to compress things that aren't com‐
229 pressed).
230 --dest-creds username[:password]
233 Credentials for accessing the destination registry.
236 --src-cert-dir path
239 Use certificates at path (*.crt, *.cert, *.key) to connect to the
242 source registry or daemon.
243 --src-no-creds
246 Access the registry anonymously.
249 --src-tls-verify=bool
252 Require HTTPS and verify certificates when talking to container source
255 registry or daemon. Default to source registry setting.
256 --dest-cert-dir path
259 Use certificates at path (*.crt, *.cert, *.key) to connect to the des‐
262 tination registry or daemon.
263 --dest-no-creds
266 Access the registry anonymously.
269 --dest-tls-verify=bool
272 Require HTTPS and verify certificates when talking to container desti‐
275 nation registry or daemon. Default to destination registry setting.
276 --src-daemon-host host
279 Copy from docker daemon at host. If host starts with tcp://, HTTPS is
282 enabled by default. To use plain HTTP, use the form http:// (default is
283 unix:///var/run/docker.sock).
284 --dest-daemon-host host
287 Copy to docker daemon at host. If host starts with tcp://, HTTPS is en‐
290 abled by default. To use plain HTTP, use the form http:// (default is
291 unix:///var/run/docker.sock).
292 Existing signatures, if any, are preserved as well.
295 --dest-compress-format format
298 Specifies the compression format to use. Supported values are: gzip
301 and zstd.
302 --dest-compress-level format
305 Specifies the compression level to use. The value is specific to the
308 compression algorithm used, e.g. for zstd the accepted values are in
309 the range 1-20 (inclusive), while for gzip it is 1-9 (inclusive).
310 --src-registry-token token
313 Bearer token for accessing the source registry.
316 --dest-registry-token token
319 Bearer token for accessing the destination registry.
322 --dest-precompute-digests
325 Precompute digests to ensure layers are not uploaded that already exist
328 on the destination registry. Layers with initially unknown digests (ex.
329 compressing "on the fly") will be temporarily streamed to disk.
330 --retry-times
333 The number of times to retry. Retry wait time will be exponentially in‐
336 creased based on the number of failed attempts.
337 --src-username
340 The username to access the source registry.
343 --src-password
346 The password to access the source registry.
349 --dest-username
352 The username to access the destination registry.
355 --dest-password
358 The password to access the destination registry.
361
364 To just copy an image from one registry to another:
365 $ skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest
368 To copy the layers of the docker.io busybox image to a local directory:
372 $ mkdir -p /var/lib/images/busybox
375 $ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
376 $ ls /var/lib/images/busybox/*
377 /tmp/busybox/2b8fd9751c4c0f5dd266fcae00707e67a2545ef34f9a29354585f93dac906749.tar
378 /tmp/busybox/manifest.json
379 /tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
380 To copy and sign an image:
384 # skopeo copy --sign-by dev@example.com containers-storage:example/busybox:streaming docker://example/busybox:gold
387 To encrypt an image:
391 skopeo copy docker://docker.io/library/nginx:1.17.8 oci:local_nginx:1.17.8
394 openssl genrsa -out private.key 1024
396 openssl rsa -in private.key -pubout > public.key
397 skopeo copy --encryption-key jwe:./public.key oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
399 To decrypt an image:
403 skopeo copy --decryption-key ./private.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
406 To copy encrypted image without decryption:
410 skopeo copy oci:try-encrypt:encrypted oci:try-encrypt-copy:encrypted
413 To decrypt an image that requires more than one key:
417 skopeo copy --decryption-key ./private1.key --decryption-key ./private2.key --decryption-key ./private3.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
420 Container images can also be partially encrypted by specifying the in‐
424 dex of the layer. Layers are 0-indexed indices, with support for nega‐
425 tive indexing. i.e. 0 is the first layer, -1 is the last layer.
426 Let's say out of 3 layers that the image docker.io/library/nginx:1.17.8
429 is made up of, we only want to encrypt the 2nd layer,
430 skopeo copy --encryption-key jwe:./public.key --encrypt-layer 1 oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
433
437 skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5),
438 containers-policy.json(5), containers-transports(5), containers-signa‐
439 ture(5)
440
443 Antonio Murdaca runcom@redhat.com ⟨mailto:runcom@redhat.com⟩, Miloslav
444 Trmac mitr@redhat.com ⟨mailto:mitr@redhat.com⟩, Jhon Honce jhonce@red‐
445 hat.com ⟨mailto:jhonce@redhat.com⟩
446 skopeo-copy(1)()