1skopeo-copy(1)()                                              skopeo-copy(1)()
2
3
4

NAME

6       skopeo-copy  -  Copy an image (manifest, filesystem layers, signatures)
7       from one location to another.
8
9

SYNOPSIS

11       skopeo copy [options] source-image destination-image
12
13

DESCRIPTION

15       Copy an image (manifest, filesystem layers, signatures) from one  loca‐
16       tion to another.
17
18
19       Uses  the  system's trust policy to validate images, rejects images not
20       trusted by the policy.
21
22
23       source-image use the "image name" format described above
24
25
26       destination-image use the "image name" format described above
27
28
29       source-image and destination-image are interpreted completely  indepen‐
30       dently;  e.g.  the  destination name does not automatically inherit any
31       parts of the source name.
32
33

OPTIONS

35       See also skopeo(1) for options placed before the subcommand name.
36
37
38       --additional-tag=strings
39
40
41       Additional tags (supports docker-archive).
42
43
44       --all, -a
45
46
47       If source-image refers to a list of images, instead of copying just the
48       image which matches the current OS and architecture (subject to the use
49       of the global --override-os, --override-arch and --override-variant op‐
50       tions), attempt to copy all of the images in the list, and the list it‐
51       self.
52
53
54       --authfile path
55
56
57       Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/contain‐
58       ers/auth.json,  which  is set using skopeo login.  If the authorization
59       state is not found there, $HOME/.docker/config.json is  checked,  which
60       is set using docker login.
61
62
63       Note: You can also override the default path of the authentication file
64       by setting the REGISTRY_AUTH_FILE  environment  variable.  export  REG‐
65       ISTRY_AUTH_FILE=path
66
67
68       --src-authfile path
69
70
71       Path  of  the  authentication  file  for the source registry. Uses path
72       given by --authfile, if not provided.
73
74
75       --dest-authfile path
76
77
78       Path of the authentication file for the destination registry. Uses path
79       given by --authfile, if not provided.
80
81
82       --dest-shared-blob-dir directory
83
84
85       Directory to use to share blobs across OCI repositories.
86
87
88       --digestfile path
89
90
91       After copying the image, write the digest of the resulting image to the
92       file.
93
94
95       --preserve-digests
96
97
98       Preserve the digests during copying. Fail if the digest cannot be  pre‐
99       served.
100
101
102       This  option  does not change what will be copied; consider using --all
103       at the same time.
104
105
106       --encrypt-layer ints
107
108
109       Experimental the 0-indexed layer indices, with support for negative in‐
110       dexing (e.g. 0 is the first layer, -1 is the last layer)
111
112
113       --format, -f manifest-type
114
115
116       MANIFEST  TYPE  (oci, v2s1, or v2s2) to use in the destination (default
117       is manifest type of source, with fallbacks)
118
119
120       --help, -h
121
122
123       Print usage statement
124
125
126       --multi-arch option
127
128
129       Control what is copied if source-image refers to  a  multi-architecture
130       image. Default is system.
131
132
133       Options:  -  system: Copy only the image that matches the system archi‐
134       tecture - all: Copy the full  multi-architecture  image  -  index-only:
135       Copy only the index
136
137
138       The index-only option usually fails unless the referenced per-architec‐
139       ture images are already present in the destination, or the target  reg‐
140       istry supports sparse indexes.
141
142
143       --quiet, -q
144
145
146       Suppress output information when copying images.
147
148
149       --remove-signatures
150
151
152       Do not copy signatures, if any, from source-image. Necessary when copy‐
153       ing a signed image to a destination which does not support signatures.
154
155
156       --sign-by key-id
157
158
159       Add a “simple signing” signature using that key ID for  an  image  name
160       corresponding to destination-image
161
162
163       --sign-by-sigstore param-file
164
165
166       Add a sigstore signature based on the options in the specified contain‐
167       ers sigstore signing parameter file, param-file.   See  containers-sig‐
168       store-signing-params.yaml(5) for details about the file format.
169
170
171       --sign-by-sigstore-private-key path
172
173
174       Add  a sigstore signature using a private key at path for an image name
175       corresponding to destination-image
176
177
178       --sign-passphrase-file path
179
180
181       The passphare to use when signing with --sign-by or --sign-by-sigstore-
182       private-key. Only the first line will be read. A passphrase stored in a
183       file is of questionable security if other users can read this file.  Do
184       not use this option if at all avoidable.
185
186
187       --sign-identity reference
188
189
190       The  identity  to  use  when  signing the image. The identity must be a
191       fully specified docker reference. If the identity is not specified, the
192       target docker reference will be used.
193
194
195       --src-shared-blob-dir directory
196
197
198       Directory to use to share blobs across OCI repositories.
199
200
201       --encryption-key protocol:keyfile
202
203
204       Specifies  the  encryption  protocol,  which  can be JWE (RFC7516), PGP
205       (RFC4880), and PKCS7 (RFC2315) and the key material required for  image
206       encryption. For instance, jwe:/path/to/key.pem or pgp:admin@example.com
207       or pkcs7:/path/to/x509-file.
208
209
210       --decryption-key key[:passphrase]
211
212
213       Key to be used for decryption of images. Key can point to  keys  and/or
214       certificates.  Decryption  will  be  tried with all keys. If the key is
215       protected by a passphrase, it is required to be passed in the  argument
216       and omitted otherwise.
217
218
219       --src-creds username[:password]
220
221
222       Credentials for accessing the source registry.
223
224
225       --dest-compress
226
227
228       Compress  tarball image layers when saving to directory using the 'dir'
229       transport. (default is same compression type as source).
230
231
232       --dest-decompress
233
234
235       Decompress tarball image layers when  saving  to  directory  using  the
236       'dir' transport. (default is same compression type as source).
237
238
239       --dest-oci-accept-uncompressed-layers
240
241
242       Allow  uncompressed  image layers when saving to an OCI image using the
243       'oci' transport. (default  is  to  compress  things  that  aren't  com‐
244       pressed).
245
246
247       --dest-creds username[:password]
248
249
250       Credentials for accessing the destination registry.
251
252
253       --src-cert-dir path
254
255
256       Use  certificates  at  path  (*.crt,  *.cert,  *.key) to connect to the
257       source registry or daemon.
258
259
260       --src-no-creds
261
262
263       Access the registry anonymously.
264
265
266       --src-tls-verify=bool
267
268
269       Require HTTPS and verify certificates when talking to container  source
270       registry or daemon. Default to source registry setting.
271
272
273       --dest-cert-dir path
274
275
276       Use  certificates at path (*.crt, *.cert, *.key) to connect to the des‐
277       tination registry or daemon.
278
279
280       --dest-no-creds
281
282
283       Access the registry anonymously.
284
285
286       --dest-tls-verify=bool
287
288
289       Require HTTPS and verify certificates when talking to container  desti‐
290       nation registry or daemon. Default to destination registry setting.
291
292
293       --src-daemon-host host
294
295
296       Copy  from  docker daemon at host. If host starts with tcp://, HTTPS is
297       enabled by default. To use plain HTTP, use the form http:// (default is
298       unix:///var/run/docker.sock).
299
300
301       --dest-daemon-host host
302
303
304       Copy to docker daemon at host. If host starts with tcp://, HTTPS is en‐
305       abled by default. To use plain HTTP, use the form http://  (default  is
306       unix:///var/run/docker.sock).
307
308
309       Existing signatures, if any, are preserved as well.
310
311
312       --dest-compress-format format
313
314
315       Specifies  the  compression format to use.  Supported values are: gzip,
316       zstd and zstd:chunked.
317
318
319       --dest-compress-level format
320
321
322       Specifies the compression level to use.  The value is specific  to  the
323       compression  algorithm  used,  e.g. for zstd the accepted values are in
324       the range 1-20 (inclusive), while for gzip it is 1-9 (inclusive).
325
326
327       --src-registry-token token
328
329
330       Bearer token for accessing the source registry.
331
332
333       --dest-registry-token token
334
335
336       Bearer token for accessing the destination registry.
337
338
339       --dest-precompute-digests
340
341
342       Precompute digests to ensure layers are not uploaded that already exist
343       on the destination registry. Layers with initially unknown digests (ex.
344       compressing "on the fly") will be temporarily streamed to disk.
345
346
347       --retry-times
348
349
350       The number of times to retry. Retry wait time will be exponentially in‐
351       creased based on the number of failed attempts.
352
353
354       --src-username
355
356
357       The username to access the source registry.
358
359
360       --src-password
361
362
363       The password to access the source registry.
364
365
366       --dest-username
367
368
369       The username to access the destination registry.
370
371
372       --dest-password
373
374
375       The password to access the destination registry.
376
377

EXAMPLES

379       To just copy an image from one registry to another:
380
381       $ skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest
382
383
384
385       To copy the layers of the docker.io busybox image to a local directory:
386
387       $ mkdir -p /var/lib/images/busybox
388       $ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
389       $ ls /var/lib/images/busybox/*
390         /tmp/busybox/2b8fd9751c4c0f5dd266fcae00707e67a2545ef34f9a29354585f93dac906749.tar
391         /tmp/busybox/manifest.json
392         /tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
393
394
395
396       To  create  an archive consumable by docker load (but note that using a
397       registry is almost always more efficient):
398
399       $ skopeo copy docker://busybox:latest docker-archive:archive-file.tar:busybox:latest
400
401
402
403       To copy and sign an image:
404
405       $ skopeo copy --sign-by dev@example.com containers-storage:example/busybox:streaming docker://example/busybox:gold
406
407
408
409       To encrypt an image:
410
411       $ skopeo copy docker://docker.io/library/nginx:1.17.8 oci:local_nginx:1.17.8
412
413       $ openssl genrsa -out private.key 1024
414       $ openssl rsa -in private.key -pubout > public.key
415
416       $ skopeo copy --encryption-key jwe:./public.key oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
417
418
419
420       To decrypt an image:
421
422       $ skopeo copy --decryption-key ./private.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
423
424
425
426       To copy encrypted image without decryption:
427
428       $ skopeo copy oci:try-encrypt:encrypted oci:try-encrypt-copy:encrypted
429
430
431
432       To decrypt an image that requires more than one key:
433
434       $ skopeo copy --decryption-key ./private1.key --decryption-key ./private2.key --decryption-key ./private3.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
435
436
437
438       Container images can also be partially encrypted by specifying the  in‐
439       dex  of the layer. Layers are 0-indexed indices, with support for nega‐
440       tive indexing. i.e. 0 is the first layer, -1 is the last layer.
441
442
443       Let's say out of 3 layers that the image docker.io/library/nginx:1.17.8
444       is made up of, we only want to encrypt the 2nd layer,
445
446       $ skopeo copy --encryption-key jwe:./public.key --encrypt-layer 1 oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
447
448
449

SEE ALSO

451       skopeo(1),  skopeo-login(1),  docker-login(1), containers-auth.json(5),
452       containers-policy.json(5), containers-transports(5),  containers-signa‐
453       ture(5)
454
455

AUTHORS

457       Antonio  Murdaca runcom@redhat.com ⟨mailto:runcom@redhat.com⟩, Miloslav
458       Trmac mitr@redhat.com ⟨mailto:mitr@redhat.com⟩, Jhon Honce  jhonce@red‐
459       hat.com ⟨mailto:jhonce@redhat.com⟩
460
461
462
463                                                              skopeo-copy(1)()
Impressum