1skopeo-sync(1)() skopeo-sync(1)()
2
6 skopeo-sync - Synchronize images between registry repositories and lo‐
7 cal directories.
8
11 skopeo sync [options] --src transport --dest transport source destina‐
12 tion
13
16 Synchronize images between registry repositories and local directories.
17 Synchronization is achieved by copying all the images found at source
18 to destination - useful when synchronizing a local container registry
19 mirror or for populating registries running inside of air-gapped envi‐
20 ronments.
21 Differently from other skopeo commands, skopeo sync requires both
24 source and destination transports to be specified separately from
25 source and destination. One of the problems of prefixing a destination
26 with its transport is that, the registry docker://hostname:port would
27 be wrongly interpreted as an image reference at a non-fully qualified
28 registry, with hostname and port the image name and tag.
29 Available source transports:
32 - docker (i.e. --src docker): source is a repository hosted on a con‐
33 tainer registry (e.g.: registry.example.com/busybox).
34 If no image tag is specified, skopeo sync copies all the tags found in
35 that repository.
36 - dir (i.e. --src dir): source is a local directory path (e.g.: /me‐
37 dia/usb/). Refer to skopeo(1) dir:path for the local image format.
38 - yaml (i.e. --src yaml): source is local YAML file path.
39 The YAML file should specify the list of images copied from different
40 container registries (local directories are not supported). Refer to
41 EXAMPLES for the file format.
42 Available destination transports:
45 - docker (i.e. --dest docker): destination is a container registry
46 (e.g.: my-registry.local.lan).
47 - dir (i.e. --dest dir): destination is a local directory path (e.g.:
48 /media/usb/).
49 One directory per source 'image:tag' is created for each copied image.
50 When the --scoped option is specified, images are prefixed with the
53 source image path so that multiple images with the same name can be
54 stored at destination.
55
58 See also skopeo(1) for options placed before the subcommand name.
59 --all, -a If one of the images in src refers to a list of images, in‐
62 stead of copying just the image which matches the current OS and archi‐
63 tecture (subject to the use of the global --override-os, --override-
64 arch and --override-variant options), attempt to copy all of the images
65 in the list, and the list itself.
66 --authfile path
69 Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
72 ers/auth.json, which is set using skopeo login. If the authorization
73 state is not found there, $HOME/.docker/config.json is checked, which
74 is set using docker login.
75 --src-authfile path
78 Path of the authentication file for the source registry. Uses path
81 given by --authfile, if not provided.
82 --dest-authfile path
85 Path of the authentication file for the destination registry. Uses path
88 given by --authfile, if not provided.
89 --dry-run
92 Run the sync without actually copying data to the destination.
95 --src, -s transport Transport for the source repository.
98 --dest, -d transport Destination transport.
101 --format, -f manifest-type Manifest Type (oci, v2s1, or v2s2) to use
104 when syncing image(s) to a destination (default is manifest type of
105 source, with fallbacks).
106 --help, -h
109 Print usage statement.
112 --scoped Prefix images with the source image path, so that multiple im‐
115 ages with the same name can be stored at destination.
116 --append-suffix tag-suffix String to append to destination tags.
119 --preserve-digests
122 Preserve the digests during copying. Fail if the digest cannot be pre‐
125 served.
126 This option does not change what will be copied; consider using --all
129 at the same time.
130 --remove-signatures Do not copy signatures, if any, from source-image.
133 This is necessary when copying a signed image to a destination which
134 does not support signatures.
135 --sign-by key-id
138 Add a “simple signing” signature using that key ID for an image name
141 corresponding to destination-image
142 --sign-by-sigstore param-file
145 Add a sigstore signature based on the options in the specified contain‐
148 ers sigstore signing parameter file, param-file. See containers-sig‐
149 store-signing-params.yaml(5) for details about the file format.
150 --sign-by-sigstore-private-key path
153 Add a sigstore signature using a private key at path for an image name
156 corresponding to destination-image
157 --sign-passphrase-file path
160 The passphare to use when signing with --sign-by or --sign-by-sigstore-
163 private-key. Only the first line will be read. A passphrase stored in a
164 file is of questionable security if other users can read this file. Do
165 not use this option if at all avoidable.
166 --src-creds username[:password] for accessing the source registry.
169 --dest-creds username[:password] for accessing the destination reg‐
172 istry.
173 --src-cert-dir path Use certificates (*.crt, *.cert, *.key) at path to
176 connect to the source registry or daemon.
177 --src-no-creds Access the registry anonymously.
180 --src-tls-verify=bool Require HTTPS and verify certificates when talk‐
183 ing to a container source registry or daemon. Default to source reg‐
184 istry entry in registry.conf setting.
185 --dest-cert-dir path Use certificates (*.crt, *.cert, *.key) at path to
188 connect to the destination registry or daemon.
189 --dest-no-creds Access the registry anonymously.
192 --dest-tls-verify=bool Require HTTPS and verify certificates when talk‐
195 ing to a container destination registry or daemon. Default to destina‐
196 tion registry entry in registry.conf setting.
197 --src-registry-token Bearer token for accessing the source registry.
200 --dest-registry-token Bearer token for accessing the destination reg‐
203 istry.
204 --retry-times the number of times to retry, retry wait time will be
207 exponentially increased based on the number of failed attempts.
208 --keep-going If any errors occur during copying of images, those errors
211 are logged and the process continues syncing rest of the images and fi‐
212 nally fails at the end.
213 --src-username
216 The username to access the source registry.
219 --src-password
222 The password to access the source registry.
225 --dest-username
228 The username to access the destination registry.
231 --dest-password
234 The password to access the destination registry.
237
240 Synchronizing to a local directory
241 $ skopeo sync --src docker --dest dir registry.example.com/busybox /media/usb
242 Images are located at:
246 /media/usb/busybox:1-glibc
248 /media/usb/busybox:1-musl
249 /media/usb/busybox:1-ubuntu
250 /media/usb/busybox:latest
251 Synchronizing to a container registry from local
255 Images are located at:
256 /media/usb/busybox:1-glibc
258 Sync run
262 $ skopeo sync --src dir --dest docker /media/usb/busybox:1-glibc my-registry.local.lan/test/
264 Destination registry content:
268 REPO TAGS
270 my-registry.local.lan/test/busybox 1-glibc
271 Synchronizing to a local directory, scoped
275 $ skopeo sync --src docker --dest dir --scoped registry.example.com/busybox /media/usb
276 Images are located at:
280 /media/usb/registry.example.com/busybox:1-glibc
282 /media/usb/registry.example.com/busybox:1-musl
283 /media/usb/registry.example.com/busybox:1-ubuntu
284 /media/usb/registry.example.com/busybox:latest
285 Synchronizing to a container registry
289 $ skopeo sync --src docker --dest docker registry.example.com/busybox my-registry.local.lan
290 Destination registry content:
294 REPO TAGS
296 registry.local.lan/busybox 1-glibc, 1-musl, 1-ubuntu, ..., latest
297 Synchronizing to a container registry keeping the repository
301 $ skopeo sync --src docker --dest docker registry.example.com/repo/busybox my-registry.local.lan/repo
302 Destination registry content:
306 REPO TAGS
308 registry.local.lan/repo/busybox 1-glibc, 1-musl, 1-ubuntu, ..., latest
309 Synchronizing to a container registry with tag suffix
313 $ skopeo sync --src docker --dest docker --append-suffix '-mirror' registry.example.com/busybox my-registry.local.lan
314 Destination registry content:
318 REPO TAGS
320 registry.local.lan/busybox 1-glibc-mirror, 1-musl-mirror, 1-ubuntu-mirror, ..., latest-mirror
321 YAML file content (used source for **--src yaml**)
325 registry.example.com:
326 images:
327 busybox: []
328 redis:
329 - "1.0"
330 - "2.0"
331 - "sha256:0000000000000000000000000000000011111111111111111111111111111111"
332 images-by-tag-regex:
333 nginx: ^1\.13\.[12]-alpine-perl$
334 credentials:
335 username: john
336 password: this is a secret
337 tls-verify: true
338 cert-dir: /home/john/certs
339 quay.io:
340 tls-verify: false
341 images:
342 coreos/etcd:
343 - latest
344 If the yaml filename is sync.yml, sync run:
348 $ skopeo sync --src yaml --dest docker sync.yml my-registry.local.lan/repo/
350 This will copy the following images: - Repository registry.exam‐
354 ple.com/busybox: all images, as no tags are specified. - Repository
355 registry.example.com/redis: images tagged "1.0" and "2.0" along with
356 image with digest
357 "sha256:0000000000000000000000000000000011111111111111111111111111111111".
358 - Repository registry.example.com/nginx: images tagged "1.13.1-alpine-
359 perl" and "1.13.2-alpine-perl". - Repository quay.io/coreos/etcd: im‐
360 ages tagged "latest".
361 For the registry registry.example.com, the "john"/"this is a secret"
364 credentials are used, with server TLS certificates located at
365 /home/john/certs.
366 TLS verification is normally enabled, and it can be disabled setting
369 tls-verify to false. In the above example, TLS verification is enabled
370 for registry.example.com, while is disabled for quay.io.
371
374 skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5),
375 containers-policy.json(5), containers-transports(5)
376
379 Flavio Castelli fcastelli@suse.com ⟨mailto:fcastelli@suse.com⟩, Marco
380 Vedovati mvedovati@suse.com ⟨mailto:mvedovati@suse.com⟩
381 skopeo-sync(1)()