FreeBSD Manual Pages

home | help

skopeo-copy(1)() skopeo-copy(1)()

NAME
skopeo-copy - Copy an image (manifest, filesystem layers, signatures)
from one location to another.

SYNOPSIS
skopeo copy [options] source-image destination-image

DESCRIPTION
Copy an image (manifest, filesystem layers, signatures) from one loca-
tion to another.

Uses the system's trust policy to validate images, rejects images not
trusted by the policy.

source-image use the "image name" format described above

destination-image use the "image name" format described above

source-image and destination-image are interpreted completely indepen-
dently; e.g. the destination name does not automatically inherit any
parts of the source name.

OPTIONS
See also skopeo(1) for options placed before the subcommand name.

--additional-tag=strings

Additional tags (supports docker-archive).

--all, -a

If source-image refers to a list of images, instead of copying just the
image which matches the current OS and architecture (subject to the use
of the global --override-os, --override-arch and --override-variant op-
tions), attempt to copy all of the images in the list, and the list it-
self.

--authfile path

Path of the primary registry credentials file. On Linux, the default is
${XDG_RUNTIME_DIR}/containers/auth.json. See containers-auth.json(5)
for more details about the credential search mechanism and defaults on
other platforms.

Use skopeo login to manage the credentials.

The default value of this option is read from the REGISTRY\_AUTH\_FILE
environment variable.

--src-authfile path

Path of the primary registry credentials file for the source registry.
Uses path given by --authfile, if not provided.

--dest-authfile path

Path of the primary registry credentials file for the destination reg-
istry. Uses path given by --authfile, if not provided.

--dest-shared-blob-dir directory

Directory to use to share blobs across OCI repositories.

--digestfile path

After copying the image, write the digest of the resulting image to the
file.

--preserve-digests

Preserve the digests during copying. Fail if the digest cannot be pre-
served.

This option does not change what will be copied; consider using --all
at the same time.

--encrypt-layer ints

Experimental the 0-indexed layer indices, with support for negative in-
dexing (e.g. 0 is the first layer, -1 is the last layer)

--format, -f manifest-type

MANIFEST TYPE (oci, v2s1, or v2s2) to use in the destination (default
is manifest type of source, with fallbacks)

--help, -h

Print usage statement

--multi-arch option

Control what is copied if source-image refers to a multi-architecture
image. Default is system.

Options: - system: Copy only the image that matches the system archi-
tecture - all: Copy the full multi-architecture image - index-only:
Copy only the index

The index-only option usually fails unless the referenced per-architec-
ture images are already present in the destination, or the target reg-
istry supports sparse indexes.

--quiet, -q

Suppress output information when copying images.

--remove-signatures

Do not copy signatures, if any, from source-image. Necessary when copy-
ing a signed image to a destination which does not support signatures.

--sign-by key-id

Add a simple signing signature using that key ID for an image name cor-
responding to destination-image

--sign-by-sigstore param-file

Add a sigstore signature based on the options in the specified contain-
ers sigstore signing parameter file, param-file. See containers-sig-
store-signing-params.yaml(5) for details about the file format.

--sign-by-sigstore-private-key path

Add a sigstore signature using a private key at path for an image name
corresponding to destination-image

--sign-by-sq-fingerprint fingerprint

Add a simple signing signature using a Sequoia-PGP key with the speci-
fied fingerprint.

--sign-passphrase-file path

The passphrase to use when signing with --sign-by, --sign-by-sigstore-
private-key or --sign-by-sq-fingerprint. Only the first line will be
read. A passphrase stored in a file is of questionable security if
other users can read this file. Do not use this option if at all avoid-
able.

--sign-identity reference

The identity to use when signing the image. The identity must be a
fully specified docker reference. If the identity is not specified, the
target docker reference will be used.

--src-shared-blob-dir directory

Directory to use to share blobs across OCI repositories.

--encryption-key protocol:keyfile

Specifies the encryption protocol, which can be JWE (RFC7516), PGP
(RFC4880), and PKCS7 (RFC2315) and the key material required for image
encryption. For instance, jwe:/path/to/key.pem or pgp:admin@example.com
or pkcs7:/path/to/x509-file.

--decryption-key key[:passphrase]

Key to be used for decryption of images. Key can point to keys and/or
certificates. Decryption will be tried with all keys. If the key is
protected by a passphrase, it is required to be passed in the argument
and omitted otherwise.

--src-creds username[:password]

Credentials for accessing the source registry.

--dest-compress

Compress tarball image layers when saving to directory using the 'dir'
transport. (default is same compression type as source).

--dest-decompress

Decompress tarball image layers when saving to directory using the
'dir' transport. (default is same compression type as source).

--dest-oci-accept-uncompressed-layers

Allow uncompressed image layers when saving to an OCI image using the
'oci' transport. (default is to compress things that aren't com-
pressed).

--dest-creds username[:password]

Credentials for accessing the destination registry.

--src-cert-dir path

Use certificates at path (*.crt, *.cert, *.key) to connect to the
source registry or daemon.

--src-no-creds

Access the registry anonymously.

--src-tls-verify=bool

Require HTTPS and verify certificates when talking to container source
registry or daemon. Default to source registry setting.

--dest-cert-dir path

Use certificates at path (*.crt, *.cert, *.key) to connect to the des-
tination registry or daemon.

--dest-no-creds

Access the registry anonymously.

--dest-tls-verify=bool

Require HTTPS and verify certificates when talking to container desti-
nation registry or daemon. Default to destination registry setting.

--src-daemon-host host

Copy from docker daemon at host. If host starts with tcp://, HTTPS is
enabled by default. To use plain HTTP, use the form http:// (default is
unix:///var/run/docker.sock).

--dest-daemon-host host

Copy to docker daemon at host. If host starts with tcp://, HTTPS is en-
abled by default. To use plain HTTP, use the form http:// (default is
unix:///var/run/docker.sock).

Existing signatures, if any, are preserved as well.

--dest-compress-format format

Specifies the compression format to use. Supported values are: gzip,
zstd and zstd:chunked. zstd:chunked is incompatible with encrypting
images, and will be treated as zstd with a warning in that case.

--dest-compress-level format

Specifies the compression level to use. The value is specific to the
compression algorithm used, e.g. for zstd the accepted values are in
the range 1-20 (inclusive), while for gzip it is 1-9 (inclusive).

--dest-force-compress-format

Ensures that the compression algorithm set in --dest-compress-format is
used exclusively.

--src-registry-token token

Bearer token for accessing the source registry.

--dest-registry-token token

Bearer token for accessing the destination registry.

--dest-precompute-digests

Precompute digests to ensure layers are not uploaded that already exist
on the destination registry. Layers with initially unknown digests (ex.
compressing "on the fly") will be temporarily streamed to disk.

--retry-times

The number of times to retry.

--retry-delay

Fixed delay between retries. If not set (or set to 0s), retry wait time
will be exponentially increased based on the number of failed attempts.

--src-username

The username to access the source registry.

--src-password

The password to access the source registry.

--dest-username

The username to access the destination registry.

--dest-password

The password to access the destination registry.

--image-parallel-copies n

Maximum number of image layers to be copied (pulled/pushed) simultane-
ously. Not setting this field will fall back to containers/image de-
faults.

EXAMPLES
To just copy an image from one registry to another:

$ skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest

To copy the layers of the docker.io busybox image to a local directory:

$ mkdir -p /var/lib/images/busybox
$ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
$ ls /var/lib/images/busybox/*
/tmp/busybox/2b8fd9751c4c0f5dd266fcae00707e67a2545ef34f9a29354585f93dac906749.tar
/tmp/busybox/manifest.json
/tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar

To create an archive consumable by docker load (but note that using a
registry is almost always more efficient):

$ skopeo copy docker://busybox:latest docker-archive:archive-file.tar:busybox:latest

To copy and sign an image:

$ skopeo copy --sign-by dev@example.com containers-storage:example/busybox:streaming docker://example/busybox:gold

To encrypt an image:

$ skopeo copy docker://docker.io/library/nginx:1.17.8 oci:local_nginx:1.17.8

$ openssl genrsa -out private.key 1024
$ openssl rsa -in private.key -pubout > public.key

$ skopeo copy --encryption-key jwe:./public.key oci:local_nginx:1.17.8 oci:try-encrypt:encrypted

To decrypt an image:

$ skopeo copy --decryption-key ./private.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted

To copy encrypted image without decryption:

$ skopeo copy oci:try-encrypt:encrypted oci:try-encrypt-copy:encrypted

To decrypt an image that requires more than one key:

$ skopeo copy --decryption-key ./private1.key --decryption-key ./private2.key --decryption-key ./private3.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted

Container images can also be partially encrypted by specifying the in-
dex of the layer. Layers are 0-indexed indices, with support for nega-
tive indexing. i.e. 0 is the first layer, -1 is the last layer.

Let's say out of 3 layers that the image docker.io/library/nginx:1.17.8
is made up of, we only want to encrypt the 2nd layer,

$ skopeo copy --encryption-key jwe:./public.key --encrypt-layer 1 oci:local_nginx:1.17.8 oci:try-encrypt:encrypted

SEE ALSO
skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5),
containers-policy.json(5), containers-transports(5), containers-signa-
ture(5)

AUTHORS
Antonio Murdaca runcom@redhat.com <mailto:runcom@redhat.com>, Miloslav
Trmac mitr@redhat.com <mailto:mitr@redhat.com>, Jhon Honce jhonce@red-
hat.com <mailto:jhonce@redhat.com>

skopeo-copy(1)()

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=skopeo-copy&sektion=1&manpath=FreeBSD+Ports+15.0.quarterly>

home | help

Header And Logo

Peripheral Links

Site Navigation

FreeBSD Manual Pages

Header And Logo

Peripheral Links

Search

Site Navigation

FreeBSD Manual Pages