1skopeo-sync(1)()                                              skopeo-sync(1)()
2
3
4

NAME

6       skopeo-sync  - Synchronize images between registry repositories and lo‐
7       cal directories.
8
9

SYNOPSIS

11       skopeo sync [options] --src transport --dest transport source  destina‐
12       tion
13
14

DESCRIPTION

16       Synchronize  images  between  registry repoositories and local directo‐
17       ries.  The synchronization is achieved by copying all the images  found
18       at source to destination.
19
20
21       Useful to synchronize a local container registry mirror, and to to pop‐
22       ulate registries running inside of air-gapped environments.
23
24
25       Differently from other  skopeo  commands,  skopeo  sync  requires  both
26       source  and  destination  transports  to  be  specified separately from
27       source and destination.  One of the problems of prefixing a destination
28       with  its  transport is that, the registry docker://hostname:port would
29       be wrongly interpreted as an image reference at a  non-fully  qualified
30       registry, with hostname and port the image name and tag.
31
32
33       Available source transports:
34        -  docker (i.e. --src docker): source is a repository hosted on a con‐
35       tainer registry (e.g.: registry.example.com/busybox).
36        If no image tag is specified, skopeo sync copies all the tags found in
37       that repository.
38        -  dir  (i.e. --src dir): source is a local directory path (e.g.: /me‐
39       dia/usb/). Refer to skopeo(1) dir:path for the local image format.
40        - yaml (i.e. --src yaml): source is local YAML file path.
41        The YAML file should specify the list of images copied from  different
42       container  registries  (local  directories are not supported). Refer to
43       EXAMPLES for the file format.
44
45
46       Available destination transports:
47        - docker (i.e. --dest docker): destination  is  a  container  registry
48       (e.g.: my-registry.local.lan).
49        -  dir (i.e. --dest dir): destination is a local directory path (e.g.:
50       /media/usb/).
51        One directory per source 'image:tag' is created for each copied image.
52
53
54       When the --scoped option is specified, images  are  prefixed  with  the
55       source  image  path  so  that multiple images with the same name can be
56       stored at destination.
57
58

OPTIONS

60       --all, -a If one of the images in src refers to a list of  images,  in‐
61       stead of copying just the image which matches the current OS and archi‐
62       tecture (subject to the use of the  global  --override-os,  --override-
63       arch and --override-variant options), attempt to copy all of the images
64       in the list, and the list itself.
65
66
67       --authfile path
68
69
70       Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
71       ers/auth.json,  which  is set using skopeo login.  If the authorization
72       state is not found there, $HOME/.docker/config.json is  checked,  which
73       is set using docker login.
74
75
76       --src-authfile path
77
78
79       Path  of  the  authentication  file  for the source registry. Uses path
80       given by --authfile, if not provided.
81
82
83       --dest-authfile path
84
85
86       Path of the authentication file for the destination registry. Uses path
87       given by --authfile, if not provided.
88
89
90       --dry-run
91
92
93       Run the sync without actually copying data to the destination.
94
95
96       --src, -s transport Transport for the source repository.
97
98
99       --dest, -d transport Destination transport.
100
101
102       --format,  -f  manifest-type  Manifest Type (oci, v2s1, or v2s2) to use
103       when syncing image(s) to a destination (default  is  manifest  type  of
104       source, with fallbacks).
105
106
107       --help, -h
108
109
110       Print usage statement.
111
112
113       --scoped Prefix images with the source image path, so that multiple im‐
114       ages with the same name can be stored at destination.
115
116
117       --preserve-digests Preserve the digests during copying. Fail if the di‐
118       gest cannot be preserved. Consider using --all at the same time.
119
120
121       --remove-signatures  Do not copy signatures, if any, from source-image.
122       This is necessary when copying a signed image to  a  destination  which
123       does not support signatures.
124
125
126       --sign-by key-id
127
128
129       Add  a  “simple  signing” signature using that key ID for an image name
130       corresponding to destination-image
131
132
133       --sign-by-sigstore-private-key path
134
135
136       Add a sigstore signature using a private key at path for an image  name
137       corresponding to destination-image
138
139
140       --sign-passphrase-file path
141
142
143       The passphare to use when signing with --sign-by or --sign-by-sigstore-
144       private-key. Only the first line will be read. A passphrase stored in a
145       file  is of questionable security if other users can read this file. Do
146       not use this option if at all avoidable.
147
148
149       --src-creds username[:password] for accessing the source registry.
150
151
152       --dest-creds username[:password] for  accessing  the  destination  reg‐
153       istry.
154
155
156       --src-cert-dir  path Use certificates (*.crt, *.cert, *.key) at path to
157       connect to the source registry or daemon.
158
159
160       --src-no-creds Access the registry anonymously.
161
162
163       --src-tls-verify=bool Require HTTPS and verify certificates when  talk‐
164       ing  to  a  container source registry or daemon. Default to source reg‐
165       istry entry in registry.conf setting.
166
167
168       --dest-cert-dir path Use certificates (*.crt, *.cert, *.key) at path to
169       connect to the destination registry or daemon.
170
171
172       --dest-no-creds Access the registry anonymously.
173
174
175       --dest-tls-verify=bool Require HTTPS and verify certificates when talk‐
176       ing to a container destination registry or daemon. Default to  destina‐
177       tion registry entry in registry.conf setting.
178
179
180       --src-registry-token Bearer token for accessing the source registry.
181
182
183       --dest-registry-token  Bearer  token for accessing the destination reg‐
184       istry.
185
186
187       --retry-times  the number of times to retry, retry wait  time  will  be
188       exponentially increased based on the number of failed attempts.
189
190
191       --keep-going If any errors occur during copying of images, those errors
192       are logged and the process continues syncing rest of the images and fi‐
193       nally fails at the end.
194
195
196       --src-username
197
198
199       The username to access the source registry.
200
201
202       --src-password
203
204
205       The password to access the source registry.
206
207
208       --dest-username
209
210
211       The username to access the destination registry.
212
213
214       --dest-password
215
216
217       The password to access the destination registry.
218
219

EXAMPLES

221   Synchronizing to a local directory
222              $ skopeo sync --src docker --dest dir registry.example.com/busybox /media/usb
223
224
225
226       Images are located at:
227
228
229              /media/usb/busybox:1-glibc
230              /media/usb/busybox:1-musl
231              /media/usb/busybox:1-ubuntu
232              /media/usb/busybox:latest
233
234
235
236   Synchronizing to a container registry from local
237       Images are located at:
238
239
240              /media/usb/busybox:1-glibc
241
242
243
244       Sync run
245
246
247              $ skopeo sync --src dir --dest docker /media/usb/busybox:1-glibc my-registry.local.lan/test/
248
249
250
251       Destination registry content:
252
253
254              REPO                                 TAGS
255              my-registry.local.lan/test/busybox   1-glibc
256
257
258
259   Synchronizing to a local directory, scoped
260              $ skopeo sync --src docker --dest dir --scoped registry.example.com/busybox /media/usb
261
262
263
264       Images are located at:
265
266
267              /media/usb/registry.example.com/busybox:1-glibc
268              /media/usb/registry.example.com/busybox:1-musl
269              /media/usb/registry.example.com/busybox:1-ubuntu
270              /media/usb/registry.example.com/busybox:latest
271
272
273
274   Synchronizing to a container registry
275              skopeo sync --src docker --dest docker registry.example.com/busybox my-registry.local.lan
276
277
278
279       Destination registry content:
280
281
282              REPO                         TAGS
283              registry.local.lan/busybox   1-glibc, 1-musl, 1-ubuntu, ..., latest
284
285
286
287   Synchronizing to a container registry keeping the repository
288              skopeo sync --src docker --dest docker registry.example.com/repo/busybox my-registry.local.lan/repo
289
290
291
292       Destination registry content:
293
294
295              REPO                              TAGS
296              registry.local.lan/repo/busybox   1-glibc, 1-musl, 1-ubuntu, ..., latest
297
298
299
300   YAML file content (used source for **--src yaml**)
301              registry.example.com:
302                  images:
303                      busybox: []
304                      redis:
305                          - "1.0"
306                          - "2.0"
307                          - "sha256:0000000000000000000000000000000011111111111111111111111111111111"
308                  images-by-tag-regex:
309                      nginx: ^1\.13\.[12]-alpine-perl$
310                  credentials:
311                      username: john
312                      password: this is a secret
313                  tls-verify: true
314                  cert-dir: /home/john/certs
315              quay.io:
316                  tls-verify: false
317                  images:
318                      coreos/etcd:
319                          - latest
320
321
322
323       If the yaml filename is sync.yml, sync run:
324
325
326              skopeo sync --src yaml --dest docker sync.yml my-registry.local.lan/repo/
327
328
329
330       This  will  copy  the  following  images:  -  Repository registry.exam‐
331       ple.com/busybox: all images, as no tags are  specified.   -  Repository
332       registry.example.com/redis:  images  tagged  "1.0" and "2.0" along with
333       image                            with                            digest
334       "sha256:0000000000000000000000000000000011111111111111111111111111111111".
335       - Repository registry.example.com/nginx: images tagged  "1.13.1-alpine-
336       perl"  and "1.13.2-alpine-perl".  - Repository quay.io/coreos/etcd: im‐
337       ages tagged "latest".
338
339
340       For the registry registry.example.com, the "john"/"this  is  a  secret"
341       credentials   are   used,  with  server  TLS  certificates  located  at
342       /home/john/certs.
343
344
345       TLS verification is normally enabled, and it can  be  disabled  setting
346       tls-verify to false.  In the above example, TLS verification is enabled
347       for registry.example.com, while is disabled for quay.io.
348
349

SEE ALSO

351       skopeo(1), skopeo-login(1),  docker-login(1),  containers-auth.json(5),
352       containers-policy.json(5), containers-transports(5)
353
354

AUTHORS

356       Flavio  Castelli  fcastelli@suse.com ⟨mailto:fcastelli@suse.com⟩, Marco
357       Vedovati mvedovati@suse.com ⟨mailto:mvedovati@suse.com⟩
358
359
360
361                                                              skopeo-sync(1)()
Impressum