- Add option to set a fixed delay between retries.
- Clarify that if delay is unset, skopeo uses an exponential delay for
retries.
Fixes#2476
Signed-off-by: Adam Kaplan <adam.kaplan@redhat.com>
* Digest file output would have docker reference of source
and sha of of the mainfest sync'd with the target. This
file would not be created if dry-run flag is enabled
* improved the sync document to include the correct output for manifest file.
* added new line for the manifest file once all images are sync'd
* Ensuring we log on manifest digest if the copy operation was successful.
* Check for errors if any once sync process is complete.
* Ensure to capture the failure when closing the manifest file.
* Ensure we are not writing manifest sha for failed copy of imagesand aborting the process in case write to file fails
Signed-off-by: Ankit Agarwal <aagarwal@cloudsmith.io>
- Add a prompt to the skopeo commands.
- Add a "console" identifier to fenced code
blocks which has a prompt, not "sh".
Signed-off-by: Toshiki Sonoda <sonoda.toshiki@fujitsu.com>
(skopeo copy) and (skopeo sync) now support --sign-by-sigstore=param-file,
using the containers-sigstore-signing-params.yaml(5) file format.
That notably adds support for Fulcio and Rekor signing.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
If a passphrase is not provided, prompt for one.
Outstanding:
- Should have integration tests.
- The signing options shared between copy and sync should live in utils.go.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The Go behavior of boolean flags is as follows:
Accepted values are --flag, which is the same as --flag=true, and --flag=false,
which is the default (except for OptionalBoolFlag).
--flag {false,true} is parsed as --flag=true with a non-option {false,true} argument.
So, for almost all flags, document them just as --flag, not
mentioning the [={false,true}] part, because users can just
omit =true, or the whole flag instead of =false.
OTOH, for tls-verify, document only the tls-verify={true,false}
variant, because the primary use is tls-verify=false, and because
tls-verify is not "the default", but equivalent to an explicit
tls-verify=true (overriding registries.conf).
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
To support signing images without prompting the user, add CLI flags for
providing a passphrase file.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
By default skopeo checks to see if the user actually uses one of the
--*tls-verify flags. Their initial value is ignored. Setting the
initial value to false causes Cobra to not display the default value on
the screen when the user runs a `skopeo --help` command.
If the user does not specify a --*tls-verify option, it falls back to
using the value specified in the registries.conf file.
Fixes: https://github.com/containers/skopeo/issues/1383
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
This is the script that runs 'skopeo COMMAND --help' and
cross-checks that all the option flags are documented
in man pages, and vice-versa (all options listed in man
pages appear in COMMAND's --help message).
Copied from podman, with changes for skopeo-land (removing
the rst checks, and conforming to skopeo conventions).
Signed-off-by: Ed Santiago <santiago@redhat.com>
Add new script, hack/man-page-checker, copied from podman. Run it
in 'make validate-local' target.
This is NOT the checker requested in #1332 (verify that flags
listed in 'skopeo foo --help' are documented in man pages and
vice-versa). This is a much simpler script that merely looks
for very basic typos or discrepancies between skopeo.1.md
and skopeo-foo.1.md.
The next part (cross-checking flags) is in progress but will
require a huge number of changes to the man pages. I'm submitting
this now because it's easy to review.
Signed-off-by: Ed Santiago <santiago@redhat.com>
This replicates the --all copy flag to sync to perform the same
behavior. Namely, the default is CopySystemImage unless --all is passed
which changes the behavior to CopyAllImages. While it is probably
desirable for --all to be the default as there is no option to override
ones architecture with the sync command, --all can potentially break
existing sync incantations depending on registry support. Hence
CopySystemImage remains the default.
Signed-off-by: Andrew DeMaria <ademaria@cloudflare.com>
- Improve the language
- Be consistent with the previous example about a trailing slash
- Don't unnecessarily quote :, it is not a shell metacharacter.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Fields that magically change their behavior depending on type of the value
are too much hassle for no benefit.
For now, this just copies&pastes the full loop in imagesToCopyFromRegistry
to create another loop handling the new ImagesByTagRegex field. Simplifications
to reduce duplication will follow.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
With additional prefixed flags for authfiles, it is possible to override the shared authfile flag to use different authfiles for src and dest registries. This is an important feature if the two registries have the same domain (but different paths) and require separate credentials.
Closes#773.
Signed-off-by: Daniel Strobusch <1847260+dastrobu@users.noreply.github.com>
The skopeo sync command can sync images between a SOURCE and a
destination.
The purpose of this command is to assist with the mirroring of
container images from different docker registries to a single
docker registry.
Right now the following source/destination locations are implemented:
* docker -> docker
* docker-> dir
* dir -> docker
The dir location is supported to handle the use case
of air-gapped environments.
In this context users can perform an initial sync on a trusted machine
connected to the internet; that would be a `docker` -> `dir` sync.
The target directory can be copied to a removable drive that can then be
plugged into a node of the air-gapped environment. From there a
`dir` -> `docker` sync will import all the images into the registry serving
the air-gapped environment.
Notes when specifying the `--scoped` option:
The image namespace is changed during the `docker` to `docker` or `dir` copy.
The FQDN of the registry hosting the image will be added as new root namespace
of the image. For example, the image `registry.example.com/busybox:latest`
will be copied to
`registry.local.lan/registry.example.com/busybox:latest`.
The image namespace is not changed when doing a
`dir:` -> `docker` sync operation.
The alteration of the image namespace is used to nicely scope images
coming from different registries (the Docker Hub, quay.io, gcr,
other registries). That allows all of them to be hosted on the same
registry without incurring in clashes and making their origin explicit.
Signed-off-by: Flavio Castelli <fcastelli@suse.com>
Co-authored-by: Marco Vedovati <mvedovati@suse.com>
