skopeo (1) - Linux Manuals
skopeo: Various operations with container images images and container image registries
NAME
skopeo -- Various operations with container images images and container image registries
SYNOPSIS
skopeo [global options] command [command options]
DESCRIPTION
skopeo is a command line utility providing various operations with container images and container image registries. For example, it is able to inspect a repository on a Docker registry and fetch image. It fetches the repository's manifest and it is able to show you a docker inspect-like json output about a whole repository or a tag. This tool, in contrast to docker inspect, helps you gather useful information about a repository or a tag without requiring you to run docker pull - e.g. - which tags are available for the given repository? which labels the image has?
It also allows you to copy container images between various registries, possibly converting them as necessary, and to sign and verify images.
IMAGE NAMES
Most commands refer to container images, using a transport:details format. The following formats are supported:
atomic:namespace/stream:tag
dir:path
docker://docker-reference
oci:path:tag
--debug enable debug output
--policy path-to-policy Path to a policy.json file to use for verifying signatures and deciding whether an image is trusted, overriding the default trust policy file.
--insecure-policy Adopt an insecure, permissive policy that allows anything. This obviates the need for a policy file.
--registries.d dir use registry configuration files in dir (e.g. for docker signature storage), overriding the default path.
--help|-h Show help
--version|-v print the version number
skopeo copy [--sign-by=key-ID] source-image destination-image
Copy an image (manifest, filesystem layers, signatures) from one location to another.
Uses the system's trust policy to validate images, rejects images not trusted by the policy.
source-image use the "image name" format described above
destination-image use the "image name" format described above
--remove-signatures do not copy signatures, if any, from source-image. Necessary when copying a signed image to a destination which does not support signatures.
--sign-by=key-id add a signature using that key ID for an image name corresponding to destination-image
--src-creds username[:password] for accessing the source registry
--dest-creds username[:password] for accessing the destination registry
--src-cert-dir path Use certificates at path (*.crt, *.cert, *.key) to connect to the source registry
--src-tls-verify bool-value Require HTTPS and verify certificates when talking to docker source registry (defaults to true)
--dest-cert-dir path Use certificates at path (*.crt, *.cert, *.key) to connect to the destination registry
--dest-ostree-tmp-dir path Directory to use for OSTree temporary files.
--dest-tls-verify bool-value Require HTTPS and verify certificates when talking to docker destination registry (defaults to true)
Existing signatures, if any, are preserved as well.
skopeo delete image-name
Mark image-name for deletion. To release the allocated disk space, you need to execute the docker registry garabage collector. E.g.,
--creds username[:password] for accessing the registry
--cert-dir path Use certificates at path (*.crt, *.cert, *.key) to connect to the registry
--tls-verify bool-value Require HTTPS and verify certificates when talking to docker registries (defaults to true)
Additionally, the registry must allow deletions by setting REGISTRY_STORAGE_DELETE_ENABLED=true for the registry daemon.
skopeo inspect [--raw] image-name
Return low-level information about image-name in a registry
--raw output raw manifest, default is to format in JSON
image-name name of image to retrieve information about
--creds username[:password] for accessing the registry
--cert-dir path Use certificates at path (*.crt, *.cert, *.key) to connect to the registry
--tls-verify bool-value Require HTTPS and verify certificates when talking to docker registries (defaults to true)
skopeo manifest-digest manifest-file
Compute a manifest digest of manifest-file and write it to standard output.
skopeo standalone-sign manifest docker-reference key-fingerprint --output|-o signature
This is primarily a debugging tool, or useful for special cases,
and usually should not be a part of your normal operational workflow; use skopeo copy --sign-by instead to publish and sign an image in one step.
manifest Path to a file containing the image manifest
docker-reference A docker reference to identify the image with
key-fingerprint Key identity to use for signing
--output|-o output file
skopeo standalone-verify manifest docker-reference key-fingerprint signature
Verify a signature using local files, digest will be printed on success.
manifest Path to a file containing the image manifest
docker-reference A docker reference expected to identify the image in the signature
key-fingerprint Expected identity of the signing key
signature Path to signature file
Note: If you do use this, make sure that the image can not be changed at the source location between the times of its verification and use.
show help for skopeo
/etc/containers/policy.json
/etc/containers/registries.d
To copy the layers of the docker.io busybox image to a local directory:
To copy and sign an image:
Mark image example/pause for deletion from the registry.example.com registry:
See above for additional details on using the command delete.
To review information for the image fedora from the docker.io registry:
Another method to retrieve the layers for the busybox image from the docker.io registry:
See skopeo copy above for the preferred method of signing images.
Antonio Murdaca
<runcom [at] redhat.com>, Miloslav Trmac
<mitr [at] redhat.com>, Jhon Honce
<jhonce [at] redhat.com>
OPTIONS
COMMANDS
skopeo copy
skopeo delete
$ docker exec -it registry bin/registry garbage-collect /etc/docker/registry/config.yml
skopeo inspect
skopeo manifest-digest
skopeo standalone-sign
skopeo standalone-verify
skopeo help
FILES
EXAMPLES
skopeo copy
$ mkdir -p /var/lib/images/busybox
$ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
$ ls /var/lib/images/busybox/*
/tmp/busybox/2b8fd9751c4c0f5dd266fcae00707e67a2545ef34f9a29354585f93dac906749.tar
/tmp/busybox/manifest.json
/tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
$ skopeo copy --sign-by dev [at] example.com atomic:example/busybox:streaming atomic:example/busybox:gold
skopeo delete
$ skopeo delete --force docker://registry.example.com/example/pause:latest
skopeo inspect
$ skopeo inspect docker://docker.io/fedora
{
"Name": "docker.io/library/fedora",
"Digest": "sha256:a97914edb6ba15deb5c5acf87bd6bd5b6b0408c96f48a5cbd450b5b04509bb7d",
"RepoTags": [
"20",
"21",
"22",
"23",
"24",
"heisenbug",
"latest",
"rawhide"
],
"Created": "2016-06-20T19:33:43.220526898Z",
"DockerVersion": "1.10.3",
"Labels": {},
"Architecture": "amd64",
"Os": "linux",
"Layers": [
"sha256:7c91a140e7a1025c3bc3aace4c80c0d9933ac4ee24b8630a6b0b5d8b9ce6b9d4"
]
}
skopeo layers
$ skopeo layers docker://busybox
$ ls layers-500650331/
8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
manifest.json
a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4.tar
skopeo manifest-digest
$ skopeo manifest-digest manifest.json
sha256:a59906e33509d14c036c8678d687bd4eec81ed7c4b8ce907b888c607f6a1e0e6
skopeo standalone-sign
$ skopeo standalone-sign busybox-manifest.json registry.example.com/example/busybox 1D8230F6CDB6A06716E414C1DB72F2188BB46CC8 --output busybox.signature
$
skopeo standalone-verify
$ skopeo standalone-verify busybox-manifest.json registry.example.com/example/busybox 1D8230F6CDB6A06716E414C1DB72F2188BB46CC8 busybox.signature
Signature verified, digest sha256:20bf21ed457b390829cdbeec8795a7bea1626991fda603e0d01b4e7f60427e55
AUTHORS