skopeo

mirror of https://github.com/containers/skopeo.git synced 2025-05-09 16:36:29 +00:00

Work with remote images registries - retrieving information, images, signing content

Go to file

Miloslav Trmač a552909737 Release 1.12.0 More template functions available in (skopeo inspect --format) Adds new ways to supply trusted keys to (skopeo standalone-verify). Now requires Go 1.18. - [CI:DOCS] Fix up language in README - Add unit tests for tlsVerifyConfig's yaml.Unmarshaler - Cirrus: Use human-readable CI VM Images - [CI:BUILD] copr: fix el8 build and enable debuginfo - [CI:BUILD] enable debuginfo for el8 copr builds - Update to use, and benefit from, Go 1.18 - [CI:DOCS] Disable dependabot - Renovate: c/common rule moved to defaults - [CI:BUILD] Packit: initial enablement - Replace gopkg.in/check.v1 by github.com/stretchr/testify/suite/ - Corrected typo in skopeo-sync and updated description - Fix tabelating output in (skopeo inspect --format) - Use common library reporter - Fix formatting of inspect examples - Use io.WriteString - Factor out the output of data in (skopeo inspect) - Simplify inspectOptions.writeOutput a bit more - Cirrus: Update CI VM images - Make the installation instructions more prominent in README.md - [CI:BUILD] Packit: trigger builds on commit to main branch - systemtests: Fix 040-local-registry-auth about XDG_RUNTIME_DIR - Verify signatures from a trust store - Rename argument. Only use any with public key file. Double check fingerprint is in public key file. - Use multiple fingerprint function Allow comma separated fingerprint list - Avoid use of a deprecated capability.NewPid - Fix error handling of signature.NewEphemeralGPGSigningMechanism - Cross-link the top-level and subcommand option lists - Use golangci-lint instead of golint - Add (make tools) to install (for now only) golangci-lint, use it in Cirrus Signed-off-by: Miloslav Trmač <mitr@redhat.com>		2023-04-12 22:47:03 +02:00
.github	[skip-ci] Update actions/stale action to v8	2023-03-23 09:38:29 +00:00
cmd/skopeo	Fix error handling of signature.NewEphemeralGPGSigningMechanism	2023-04-06 21:23:36 +02:00
contrib	Run codespell on codebase	2023-02-09 09:13:32 -05:00
docs	Cross-link the top-level and subcommand option lists	2023-04-06 21:45:36 +02:00
hack	Use golangci-lint instead of golint	2023-04-06 21:45:51 +02:00
integration	Verify signatures from a trust store	2023-04-01 11:51:57 +01:00
systemtest	Verify signatures from a trust store	2023-04-01 11:51:57 +01:00
vendor	Update module github.com/containers/common to v0.52.0	2023-04-11 17:35:08 +00:00
version	Release 1.12.0	2023-04-12 22:47:03 +02:00
.cirrus.yml	Add (make tools) to install (for now only) golangci-lint, use it in Cirrus	2023-04-06 21:45:51 +02:00
.gitignore	shell completion: add Makefile target	2022-05-23 18:47:46 +02:00
.packit.sh	[CI:BUILD] Packit: initial enablement	2023-02-14 16:15:01 +05:30
.packit.yaml	[CI:BUILD] Packit: trigger builds on commit to main branch	2023-03-24 11:21:54 +05:30
CODE-OF-CONDUCT.md	[CI:DOCS] Fix docs links due to branch rename	2021-06-10 11:35:11 -04:00
CONTRIBUTING.md	Update IRC information	2022-06-29 20:14:56 -04:00
default-policy.json	Add insecureAcceptAnything to default docker-daemon transport	2016-10-31 14:43:35 -04:00
default.yaml	Fix documentation in the default registries.d content.	2022-09-21 22:06:52 +02:00
go.mod	Update module github.com/containers/common to v0.52.0	2023-04-11 17:35:08 +00:00
go.sum	Update module github.com/containers/common to v0.52.0	2023-04-11 17:35:08 +00:00
install.md	shell completion: add install instructions docs	2022-05-23 18:47:51 +02:00
LICENSE	Move to Apache 2 license	2016-06-24 11:35:34 -07:00
Makefile	Add (make tools) to install (for now only) golangci-lint, use it in Cirrus	2023-04-06 21:45:51 +02:00
OWNERS	Add OWNERS file	2021-08-17 16:50:30 -04:00
README.md	Make the installation instructions more prominent in README.md	2023-03-22 22:29:47 +01:00
SECURITY.md	[CI:DOCS] Fix docs links due to branch rename	2021-06-10 11:35:11 -04:00
skopeo.spec.rpkg	[CI:BUILD] enable debuginfo for el8 copr builds	2023-02-02 16:52:10 +05:30

README.md

skopeo is a command line utility that performs various operations on container images and image repositories.

skopeo does not require the user to be running as root to do most of its operations.

skopeo does not require a daemon to be running to perform its operations.

skopeo can work with OCI images as well as the original Docker v2 images.

Skopeo works with API V2 container image registries such as docker.io and quay.io registries, private registries, local directories and local OCI-layout directories. Skopeo can perform operations which consist of:

Copying an image from and to various storage mechanisms. For example you can copy images from one registry to another, without requiring privilege.
Inspecting a remote image showing its properties including its layers, without requiring you to pull the image to the host.
Deleting an image from an image repository.
Syncing an external image repository to an internal registry for air-gapped deployments.
When required by the repository, skopeo can pass the appropriate credentials and certificates for authentication.

Skopeo operates on the following image and repository types:

containers-storage:docker-reference An image located in a local containers/storage image store. Both the location and image store are specified in /etc/containers/storage.conf. (This is the backend for Podman, CRI-O, Buildah and friends)
dir:path An existing local directory path storing the manifest, layer tarballs and signatures as individual files. This is a non-standardized format, primarily useful for debugging or noninvasive container inspection.
docker://docker-reference An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in $XDG_RUNTIME_DIR/containers/auth.json, which is set using skopeo login.
docker-archive:path[:docker-reference] An image is stored in a docker save-formatted file. docker-reference is only used when creating such a file, and it must not contain a digest.
docker-daemon:docker-reference An image docker-reference stored in the docker daemon internal storage. docker-reference must contain either a tag or a digest. Alternatively, when reading images, the format can also be docker-daemon:algo:digest (an image ID).
oci:path:tag An image tag in a directory compliant with "Open Container Image Layout Specification" at path.

Obtaining skopeo

For a detailed description how to install or build skopeo, see install.md.

Inspecting a repository

skopeo is able to inspect a repository on a container registry and fetch images layers. The inspect command fetches the repository's manifest and it is able to show you a docker inspect-like json output about a whole repository or a tag. This tool, in contrast to docker inspect, helps you gather useful information about a repository or a tag before pulling it (using disk space). The inspect command can show you which tags are available for the given repository, the labels the image has, the creation date and operating system of the image and more.

Examples:

Show properties of fedora:latest

$ skopeo inspect docker://registry.fedoraproject.org/fedora:latest
{
    "Name": "registry.fedoraproject.org/fedora",
    "Digest": "sha256:0f65bee641e821f8118acafb44c2f8fe30c2fc6b9a2b3729c0660376391aa117",
    "RepoTags": [
        "34-aarch64",
        "34",
        "latest",
        ...
    ],
    "Created": "2022-11-24T13:54:18Z",
    "DockerVersion": "1.10.1",
    "Labels": {
        "license": "MIT",
        "name": "fedora",
        "vendor": "Fedora Project",
        "version": "37"
    },
    "Architecture": "amd64",
    "Os": "linux",
    "Layers": [
        "sha256:2a0fc6bf62e155737f0ace6142ee686f3c471c1aab4241dc3128904db46288f0"
    ],
    "LayersData": [
        {
            "MIMEType": "application/vnd.docker.image.rootfs.diff.tar.gzip",
            "Digest": "sha256:2a0fc6bf62e155737f0ace6142ee686f3c471c1aab4241dc3128904db46288f0",
            "Size": 71355009,
            "Annotations": null
        }
    ],
    "Env": [
        "DISTTAG=f37container",
        "FGC=f37",
        "container=oci"
    ]
}

Show container configuration from `fedora:latest`

$ skopeo inspect --config docker://registry.fedoraproject.org/fedora:latest  | jq
{
  "created": "2020-04-29T06:48:16Z",
  "architecture": "amd64",
  "os": "linux",
  "config": {
    "Env": [
      "DISTTAG=f32container",
      "FGC=f32",
      "container=oci"
    ],
    "Cmd": [
      "/bin/bash"
    ],
    "Labels": {
      "license": "MIT",
      "name": "fedora",
      "vendor": "Fedora Project",
      "version": "32"
    }
  },
  "rootfs": {
    "type": "layers",
    "diff_ids": [
      "sha256:a4c0fa2b217d3fd63d51e55a6fd59432e543d499c0df2b1acd48fbe424f2ddd1"
    ]
  },
  "history": [
    {
      "created": "2020-04-29T06:48:16Z",
      "comment": "Created by Image Factory"
    }
  ]
}

Show unverified image's digest

$ skopeo inspect docker://registry.fedoraproject.org/fedora:latest | jq '.Digest'
"sha256:655721ff613ee766a4126cb5e0d5ae81598e1b0c3bcf7017c36c4d72cb092fe9"

Copying images

skopeo can copy container images between various storage mechanisms, including:

Container registries
- The Quay, Docker Hub, OpenShift, GCR, Artifactory ...
Container Storage backends
- github.com/containers/storage (Backend for Podman, CRI-O, Buildah and friends)
- Docker daemon storage
Local directories
Local OCI-layout directories

$ skopeo copy docker://quay.io/buildah/stable docker://registry.internal.company.com/buildah
$ skopeo copy oci:busybox_ocilayout:latest dir:existingemptydirectory

Deleting images

$ skopeo delete docker://localhost:5000/imagename:latest

Syncing registries

$ skopeo sync --src docker --dest dir registry.example.com/busybox /media/usb

Authenticating to a registry

Private registries with authentication

skopeo uses credentials from the --creds (for skopeo inspect|delete) or --src-creds|--dest-creds (for skopeo copy) flags, if set; otherwise it uses configuration set by skopeo login, podman login, buildah login, or docker login.

$ skopeo login --username USER myregistrydomain.com:5000
Password:
$ skopeo inspect docker://myregistrydomain.com:5000/busybox
{"Tag":"latest","Digest":"sha256:473bb2189d7b913ed7187a33d11e743fdc2f88931122a44d91a301b64419f092","RepoTags":["latest"],"Comment":"","Created":"2016-01-15T18:06:41.282540103Z","ContainerConfig":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh","-c","#(nop) CMD [\"sh\"]"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"DockerVersion":"1.8.3","Author":"","Config":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["sh"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"Architecture":"amd64","Os":"linux"}
$ skopeo logout myregistrydomain.com:5000

Using --creds directly

$ skopeo inspect --creds=testuser:testpassword docker://myregistrydomain.com:5000/busybox
{"Tag":"latest","Digest":"sha256:473bb2189d7b913ed7187a33d11e743fdc2f88931122a44d91a301b64419f092","RepoTags":["latest"],"Comment":"","Created":"2016-01-15T18:06:41.282540103Z","ContainerConfig":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh","-c","#(nop) CMD [\"sh\"]"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"DockerVersion":"1.8.3","Author":"","Config":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["sh"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"Architecture":"amd64","Os":"linux"}

$ skopeo copy --src-creds=testuser:testpassword docker://myregistrydomain.com:5000/private oci:local_oci_image

Contributing

Please read the contribution guide if you want to collaborate in the project.

Commands

Command	Description
skopeo-copy(1)	Copy an image (manifest, filesystem layers, signatures) from one location to another.
skopeo-delete(1)	Mark the image-name for later deletion by the registry's garbage collector.
skopeo-generate-sigstore-key(1)	Generate a sigstore public/private key pair.
skopeo-inspect(1)	Return low-level information about image-name in a registry.
skopeo-list-tags(1)	Return a list of tags for the transport-specific image repository.
skopeo-login(1)	Login to a container registry.
skopeo-logout(1)	Logout of a container registry.
skopeo-manifest-digest(1)	Compute a manifest digest for a manifest-file and write it to standard output.
skopeo-standalone-sign(1)	Debugging tool - Publish and sign an image in one step.
skopeo-standalone-verify(1)	Verify an image signature.
skopeo-sync(1)	Synchronize images between registry repositories and local directories.

License

skopeo is licensed under the Apache License, Version 2.0. See LICENSE for the full license text.