The skopeo sync command can sync images between a SOURCE and a
destination.
The purpose of this command is to assist with the mirroring of
container images from different docker registries to a single
docker registry.
Right now the following source/destination locations are implemented:
* docker -> docker
* docker-> dir
* dir -> docker
The dir location is supported to handle the use case
of air-gapped environments.
In this context users can perform an initial sync on a trusted machine
connected to the internet; that would be a `docker` -> `dir` sync.
The target directory can be copied to a removable drive that can then be
plugged into a node of the air-gapped environment. From there a
`dir` -> `docker` sync will import all the images into the registry serving
the air-gapped environment.
Notes when specifying the `--scoped` option:
The image namespace is changed during the `docker` to `docker` or `dir` copy.
The FQDN of the registry hosting the image will be added as new root namespace
of the image. For example, the image `registry.example.com/busybox:latest`
will be copied to
`registry.local.lan/registry.example.com/busybox:latest`.
The image namespace is not changed when doing a
`dir:` -> `docker` sync operation.
The alteration of the image namespace is used to nicely scope images
coming from different registries (the Docker Hub, quay.io, gcr,
other registries). That allows all of them to be hosted on the same
registry without incurring in clashes and making their origin explicit.
Signed-off-by: Flavio Castelli <fcastelli@suse.com>
Co-authored-by: Marco Vedovati <mvedovati@suse.com>
Remove the $HOME/.docker directory when tearing down a cluster,
so that subsequent cluster creations can be carried out successfully.
Signed-off-by: Marco Vedovati <mvedovati@suse.com>
Add a vendor-in-container make target to allow for executing make vendor
in a golang:1.13 container. The CI is currently enforcing golang 1.13
which has a different vendoring behavior than previous versions which
can lead to failing tests as some files might be added or deleted. The
new make target will help users who are not using 1.13 to vendor their
changes.
Signed-off-by: Valentin Rothberg <rothberg@redhat.com>
This image is about 100 MB instead of about 2 GB for the Server Core,
decreasing disk requirements and hopefully significantly speeeding up
integration tests.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Experimentally, this seems to help with localhost access inside that
container (but I have no idea what's the reason for that).
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
The nested podman tries to write to it. This primarily only
removes noise from logs, it does not seem to significantly change
behavior.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This allows using the vendored dependencies instead of
searching for them in $GOPATH and elsewhere.
This does not necessarily matter for skopeo itself, but
the test-skopeo Makefile target in containers/image uses
(go mod edit -replace) to replace the vendored c/image with
a locally-edited copy; skopeo's (make check) then runs tests in
a container which does not have access to this locally-edited
copy, and since Go 1.13 this causes (go {list,test,vet})
to fail if -mod=vendor is not used.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
drop support for the ostree backend. The only known user for the
backend is the atomic CLI tool that is not maintained anymore
upstream.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1766404
Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
Per a report in https://github.com/containers/skopeo/issues/726 ,
it can happen if the user is not allowed the ListImages action
on AWS ECR.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Move signature yaml file to point at /var/lib/containers/sigstore.
Change skopeo-copy.1 to use containers-storage and docker transports
rather then atomic.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
These are getting out of date and should be left in containers/storage.
If packagers need it then then should get it from that repo.
Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
When --raw is provided, can inspect show the raw manifest list, w/o
requiring any particular platform to be present, this test case is
used for make sure inspect command w/ --raw option works well for
container image is different from current platform arch.
Signed-off-by: Alex Jia <chuanchang.jia@gmail.com>
Add a --all/-a flag to instruct us to attempt to copy all of the
instances in the source image, if the source image specified to "skopeo
copy" is actually a list of images. Previously, we'd just try to locate
one for our preferred OS/arch combination.
Add a couple of tests to verify that we can copy an image into and then
back out of containers-storage. The contents of an image that has been
copied out of containers-storage need a bit of tweaking to compensate
for containers-storage's habit of returning uncompressed versions of the
layer blobs that were originally written to it, in order to be
comparable to the image as it was when it was pulled from a registry.
Signed-off-by: Nalin Dahyabhai <nalin@redhat.com>
- zstd test - give unique name.
a36d81c copy/pasted an existing test but didn't give
the new test a new name, leading to bats warning:
duplicate test name(s) in [...]/020-copy.bats
- start_registry() - use bash builtins, not curl, to test
if registry port is open.
curl on Fedora now barfs with "Received HTTP/0.9 when not
allowed" when the registry is run with SSL, because the
response is not valid HTTP. One workaround would be 'curl
--http0.9' but (surprise) that option doesn't exist on rhel8;
and even with that option we would need --output /dev/null
to silence a different curl warning. Curl is overkill
for this purpose anyway, all we really need is netcat
or some simple binary is-port-listening-or-not test.
Fortunately, bash provides a /dev/tcp/<host>/<port>
emulator that does the right thing and works on Fedora
as well as RHEL8.
- new log_and_run() helper
This is the noisiest yet least critical part of this PR.
I'm sorry. It's motivated by my frustration in trying
to reproduce the curl problem above: getting just the
right incantation of openssl + podman-run cost me time.
With this enhancement, important commands are logged
as part of the output of failing tests, making it
easy[*] for maintenance programmers to figure out a
recipe for reproducing the failure.
[*] "easy" as long as the test-writing developer
uses log_and_run() wisely.
Signed-off-by: Ed Santiago <santiago@redhat.com>
