mirror of https://github.com/containers/skopeo.git synced 2025-04-28 03:10:18 +00:00

Work with remote images registries - retrieving information, images, signing content

Go to file

Miloslav Trmač e76eecd533 Update mtrmac/gpgme vendor to fix build on CentOS 7		2016-04-26 17:57:40 +02:00
dockerutils	Create a new subpackage "dockerutils", starting with manifest computation	2016-04-25 17:27:51 +02:00
hack	Strip signatures from v1s1 manifests before computing the digest	2016-04-19 17:37:04 +02:00
integration	Log command output on failures in signing integration tests	2016-04-11 17:41:57 +02:00
man1	* Update Authors	2016-04-21 13:44:12 -07:00
reference	remove duplicate code	2016-03-22 15:50:40 +01:00
signature	Create a new subpackage "dockerutils", starting with manifest computation	2016-04-25 17:27:51 +02:00
types	refactor image manifest	2016-03-22 15:50:41 +01:00
vendor/github.com	Update mtrmac/gpgme vendor to fix build on CentOS 7	2016-04-26 17:57:40 +02:00
version	remove cmd/ subdir	2016-03-25 12:14:43 +01:00
.gitignore	remove cmd/ subdir	2016-03-25 12:14:43 +01:00
.travis.yml	Add collective test targets:	2016-03-22 14:12:56 +01:00
cgo_pthread_ordering_workaround.go	Add a workaround for a glibc bug when -lphtread precedes -lgpgme	2016-04-13 21:42:19 +02:00
docker.go	fix invalid credentials error	2016-04-21 14:32:49 +02:00
Dockerfile	Add standalone-sign and standalone-verify commands	2016-03-24 17:06:30 +01:00
inspect.go	remove cmd/ subdir	2016-03-25 12:14:43 +01:00
layers.go	remove cmd/ subdir	2016-03-25 12:14:43 +01:00
LICENSE	change license to GPLv2	2016-03-08 16:25:51 +01:00
main.go	remove cmd/ subdir	2016-03-25 12:14:43 +01:00
Makefile	Update man page	2016-04-21 09:46:02 -07:00
README.md	Update man page	2016-04-21 09:46:02 -07:00
signing.go	Update man page	2016-04-21 09:46:02 -07:00
utils.go	remove cmd/ subdir	2016-03-25 12:14:43 +01:00

README.md

skopeo

Please be aware skopeo is still work in progress

skopeo is a command line utility which is able to inspect a repository on a Docker registry and fetch images layers.
By inspect I mean it fetches the repository's manifest and it is able to show you a docker inspect-like json output about a whole repository or a tag. This tool, in contrast to docker inspect, helps you gather useful information about a repository or a tag before pulling it (using disk space) - e.g. - which tags are available for the given repository? which labels the image has?

Examples:

# show repository's labels of rhel7:latest
$ skopeo inspect docker://registry.access.redhat.com/rhel7 | jq '.Config.Labels'
{
  "Architecture": "x86_64",
  "Authoritative_Registry": "registry.access.redhat.com",
  "BZComponent": "rhel-server-docker",
  "Build_Host": "rcm-img04.build.eng.bos.redhat.com",
  "Name": "rhel7/rhel",
  "Release": "38",
  "Vendor": "Red Hat, Inc.",
  "Version": "7.2"
}

# show repository's tags
$ skopeo inspect docker://docker.io/fedora | jq '.RepoTags'
[
  "20",
  "21",
  "22",
  "23",
  "heisenbug",
  "latest",
  "rawhide"
]

# show image's digest
$ skopeo inspect docker://docker.io/fedora:rawhide | jq '.Digest'
"sha256:905b4846938c8aef94f52f3e41a11398ae5b40f5855fb0e40ed9c157e721d7f8"

# show image's label "Name"
$ skopeo inspect docker://registry.access.redhat.com/rhel7 | jq '.Config.Labels.Name'
"rhel7/rhel"

Private registries with authentication

When interacting with private registries, skopeo first looks for the Docker's cli config file (usually located at $HOME/.docker/config.json) to get the credentials needed to authenticate. When the file isn't available it falls back looking for --username and --password flags. The ultimate fallback, as Docker does, is to provide an empty authentication when interacting with those registries.

Examples:

# on my system
$ skopeo --help | grep docker-cfg
   --docker-cfg "/home/runcom/.docker"	Docker's cli config for auth

$ cat /home/runcom/.docker/config.json
{
	"auths": {
		"myregistrydomain.com:5000": {
			"auth": "dGVzdHVzZXI6dGVzdHBhc3N3b3Jk",
			"email": "stuf@ex.cm"
		}
	}
}

# we can see I'm already authenticated via docker login so everything will be fine
$ skopeo inspect docker://myregistrydomain.com:5000/busybox
{"Tag":"latest","Digest":"sha256:473bb2189d7b913ed7187a33d11e743fdc2f88931122a44d91a301b64419f092","RepoTags":["latest"],"Comment":"","Created":"2016-01-15T18:06:41.282540103Z","ContainerConfig":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh","-c","#(nop) CMD [\"sh\"]"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"DockerVersion":"1.8.3","Author":"","Config":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["sh"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"Architecture":"amd64","Os":"linux"}

# let's try now to fake a non existent Docker's config file
$ skopeo --docker-cfg="" inspect docker://myregistrydomain.com:5000/busybox
FATA[0000] Get https://myregistrydomain.com:5000/v2/busybox/manifests/latest: no basic auth credentials

# passing --username and --password - we can see that everything goes fine
$ skopeo --docker-cfg="" --username=testuser --password=testpassword inspect docker://myregistrydomain.com:5000/busybox
{"Tag":"latest","Digest":"sha256:473bb2189d7b913ed7187a33d11e743fdc2f88931122a44d91a301b64419f092","RepoTags":["latest"],"Comment":"","Created":"2016-01-15T18:06:41.282540103Z","ContainerConfig":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh","-c","#(nop) CMD [\"sh\"]"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"DockerVersion":"1.8.3","Author":"","Config":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["sh"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"Architecture":"amd64","Os":"linux"}

If your cli config is found but it doesn't contain the necessary credentials for the queried registry you'll get an error. You can fix this by either logging in (via `docker login`) or providing `--username` and `--password`. Building

To build skopeo you need at least Go 1.5 because it uses the latest GO15VENDOREXPERIMENT flag. Also, make sure to clone the repository in your GOPATH - otherwise compilation fails.

$ cd $GOPATH/src
$ mkdir -p github.com/projectatomic
$ cd projectatomic
$ git clone https://github.com/projectatomic/skopeo
$ cd skopeo && make binary

You may need to install additional development packages: gpgme-devel and libassuan-devel

# dnf install gpgme-devel libassuan-devel

Man:

To build the man page you need go-md2man available on your system, then:

$ make man

Installing

If you built from source:

$ sudo make install

skopeo is also available from Fedora 23:

sudo dnf install skopeo

Tests

You need Docker installed on your system in order to run the test suite

$ make test-integration

TODO

update README with layers command
list all images on registry?
registry v2 search?
download layers in parallel and support docker load tar(s)
show repo tags via flag or when reference isn't tagged or digested
add tests (integration with deployed registries in container - Docker-like)
support rkt/appc image spec

NOT TODO

provide a format flag - just use the awesome jq

License

GPLv2