4489ddd8a5
With additional prefixed flags for authfiles, it is possible to override the shared authfile flag to use different authfiles for src and dest registries. This is an important feature if the two registries have the same domain (but different paths) and require separate credentials. Closes #773. Signed-off-by: Daniel Strobusch <1847260+dastrobu@users.noreply.github.com>
5.8 KiB
% skopeo-copy(1)
NAME
skopeo-copy - Copy an image (manifest, filesystem layers, signatures) from one location to another.
SYNOPSIS
skopeo copy [--sign-by=key-ID] source-image destination-image
DESCRIPTION
Copy an image (manifest, filesystem layers, signatures) from one location to another.
Uses the system's trust policy to validate images, rejects images not trusted by the policy.
source-image use the "image name" format described above
destination-image use the "image name" format described above
OPTIONS
--all
If source-image refers to a list of images, instead of copying just the image which matches the current OS and architecture (subject to the use of the global --override-os and --override-arch options), attempt to copy all of the images in the list, and the list itself.
--authfile path
Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json, which is set using podman login.
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using docker login.
--src-authfile path
Path of the authentication file for the source registry. Uses path given by --authfile, if not provided.
--dest-authfile path
Path of the authentication file for the destination registry. Uses path given by --authfile, if not provided.
--format, -f manifest-type Manifest type (oci, v2s1, or v2s2) to use when saving image to directory using the 'dir:' transport (default is manifest type of source)
--quiet, -q suppress output information when copying images
--remove-signatures do not copy signatures, if any, from source-image. Necessary when copying a signed image to a destination which does not support signatures.
--sign-by=key-id add a signature using that key ID for an image name corresponding to destination-image
--encryption-key Key a reference prefixed with the encryption protocol to use. The supported protocols are JWE, PGP and PKCS7. For instance, jwe:/path/to/key.pem or pgp:admin@example.com or pkcs7:/path/to/x509-file. This feature is still experimental.
--decryption-key Key a reference required to perform decryption of container images. This should point to files which represent keys and/or certificates that can be used for decryption. Decryption will be tried with all keys. This feature is still experimental.
--src-creds username[:password] for accessing the source registry
--dest-compress bool-value Compress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source)
--dest-oci-accept-uncompressed-layers bool-value Allow uncompressed image layers when saving to an OCI image using the 'oci' transport. (default is to compress things that aren't compressed)
--dest-creds username[:password] for accessing the destination registry
--src-cert-dir path Use certificates at path (*.crt, *.cert, *.key) to connect to the source registry or daemon
--src-no-creds bool-value Access the registry anonymously.
--src-tls-verify bool-value Require HTTPS and verify certificates when talking to container source registry or daemon (defaults to true)
--dest-cert-dir path Use certificates at path (*.crt, *.cert, *.key) to connect to the destination registry or daemon
--dest-no-creds bool-value Access the registry anonymously.
--dest-tls-verify bool-value Require HTTPS and verify certificates when talking to container destination registry or daemon (defaults to true)
--src-daemon-host host Copy from docker daemon at host. If host starts with tcp://, HTTPS is enabled by default. To use plain HTTP, use the form http:// (default is unix:///var/run/docker.sock).
--dest-daemon-host host Copy to docker daemon at host. If host starts with tcp://, HTTPS is enabled by default. To use plain HTTP, use the form http:// (default is unix:///var/run/docker.sock).
Existing signatures, if any, are preserved as well.
--dest-compress-format format Specifies the compression format to use. Supported values are: gzip and zstd.
--dest-compress-level format Specifies the compression level to use. The value is specific to the compression algorithm used, e.g. for zstd the accepted values are in the range 1-20 (inclusive), while for gzip it is 1-9 (inclusive).
EXAMPLES
To copy the layers of the docker.io busybox image to a local directory:
$ mkdir -p /var/lib/images/busybox
$ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
$ ls /var/lib/images/busybox/*
/tmp/busybox/2b8fd9751c4c0f5dd266fcae00707e67a2545ef34f9a29354585f93dac906749.tar
/tmp/busybox/manifest.json
/tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
To copy and sign an image:
# skopeo copy --sign-by dev@example.com container-storage:example/busybox:streaming docker://example/busybox:gold
To encrypt an image:
skopeo copy docker://docker.io/library/nginx:latest oci:local_nginx:latest
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout > public.key
skopeo copy --encryption-key jwe:./public.key oci:local_nginx:latest oci:try-encrypt:encrypted
To decrypt an image:
skopeo copy --decryption-key ./private.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
To copy encrypted image without decryption:
skopeo copy oci:try-encrypt:encrypted oci:try-encrypt-copy:encrypted
To decrypt an image that requires more than one key:
skopeo copy --decryption-key ./private1.key --decryption-key ./private2.key --decryption-key ./private3.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
SEE ALSO
skopeo(1), podman-login(1), docker-login(1)
AUTHORS
Antonio Murdaca runcom@redhat.com, Miloslav Trmac mitr@redhat.com, Jhon Honce jhonce@redhat.com