Skip to content

Latest commit

 

History

History
184 lines (141 loc) · 7.07 KB

skopeo-sync.1.md

File metadata and controls

184 lines (141 loc) · 7.07 KB

% skopeo-sync(1)

NAME

skopeo-sync - Synchronize images between container registries and local directories.

SYNOPSIS

skopeo sync --src transport --dest transport source destination

DESCRIPTION

Synchronize images between container registries and local directories. The synchronization is achieved by copying all the images found at source to destination.

Useful to synchronize a local container registry mirror, and to to populate registries running inside of air-gapped environments.

Differently from other skopeo commands, skopeo sync requires both source and destination transports to be specified separately from source and destination. One of the problems of prefixing a destination with its transport is that, the registry docker://hostname:port would be wrongly interpreted as an image reference at a non-fully qualified registry, with hostname and port the image name and tag.

Available source transports:

  • docker (i.e. --src docker): source is a repository hosted on a container registry (e.g.: registry.example.com/busybox). If no image tag is specified, skopeo sync copies all the tags found in that repository.
  • dir (i.e. --src dir): source is a local directory path (e.g.: /media/usb/). Refer to skopeo(1) dir:path for the local image format.
  • yaml (i.e. --src yaml): source is local YAML file path. The YAML file should specify the list of images copied from different container registries (local directories are not supported). Refer to EXAMPLES for the file format.

Available destination transports:

  • docker (i.e. --dest docker): destination is a container registry (e.g.: my-registry.local.lan).
  • dir (i.e. --dest dir): destination is a local directory path (e.g.: /media/usb/). One directory per source 'image:tag' is created for each copied image.

When the --scoped option is specified, images are prefixed with the source image path so that multiple images with the same name can be stored at destination.

OPTIONS

--authfile path

Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json, which is set using skopeo login. If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using docker login.

--src-authfile path

Path of the authentication file for the source registry. Uses path given by --authfile, if not provided.

--dest-authfile path

Path of the authentication file for the destination registry. Uses path given by --authfile, if not provided.

--src transport Transport for the source repository.

--dest transport Destination transport.

--scoped Prefix images with the source image path, so that multiple images with the same name can be stored at destination.

--remove-signatures Do not copy signatures, if any, from source-image. This is necessary when copying a signed image to a destination which does not support signatures.

--sign-by=key-id Add a signature using that key ID for an image name corresponding to destination-image.

--src-creds username[:password] for accessing the source registry.

--dest-creds username[:password] for accessing the destination registry.

--src-cert-dir path Use certificates (*.crt, *.cert, *.key) at path to connect to the source registry or daemon.

--src-no-creds bool-value Access the registry anonymously.

--src-tls-verify bool-value Require HTTPS and verify certificates when talking to a container source registry or daemon (defaults to true).

--dest-cert-dir path Use certificates (*.crt, *.cert, *.key) at path to connect to the destination registry or daemon.

--dest-no-creds bool-value Access the registry anonymously.

--dest-tls-verify bool-value Require HTTPS and verify certificates when talking to a container destination registry or daemon (defaults to true).

--src-registry-token Bearer token for accessing the source registry.

--dest-registry-token Bearer token for accessing the destination registry.

EXAMPLES

Synchronizing to a local directory

$ skopeo sync --src docker --dest dir registry.example.com/busybox /media/usb

Images are located at:

/media/usb/busybox:1-glibc
/media/usb/busybox:1-musl
/media/usb/busybox:1-ubuntu
...
/media/usb/busybox:latest

Synchronizing to a container registry from local

Images are located at:

/media/usb/busybox:1-glibc

Sync run

$ skopeo sync --src dir --dest docker /media/usb/busybox:1-glibc my-registry.local.lan/test/

Destination registry content:

REPO                                 TAGS
my-registry.local.lan/test/busybox   1-glibc

Synchronizing to a local directory, scoped

$ skopeo sync --src docker --dest dir --scoped registry.example.com/busybox /media/usb

Images are located at:

/media/usb/registry.example.com/busybox:1-glibc
/media/usb/registry.example.com/busybox:1-musl
/media/usb/registry.example.com/busybox:1-ubuntu
...
/media/usb/registry.example.com/busybox:latest

Synchronizing to a container registry

skopeo sync --src docker --dest docker registry.example.com/busybox my-registry.local.lan

Destination registry content:

REPO                         TAGS
registry.local.lan/busybox   1-glibc, 1-musl, 1-ubuntu, ..., latest

Synchronizing to a container registry keeping the repository

skopeo sync --src docker --dest docker registry.example.com/repo/busybox my-registry.local.lan/repo

Destination registry content:

REPO                              TAGS
registry.local.lan/repo/busybox   1-glibc, 1-musl, 1-ubuntu, ..., latest

YAML file content (used source for **--src yaml**)

registry.example.com:
    images:
        busybox: []
        redis:
            - "1.0"
            - "2.0"
    images-by-tag-regex:
        nginx: ^1\.13\.[12]-alpine-perl$
    credentials:
        username: john
        password: this is a secret
    tls-verify: true
    cert-dir: /home/john/certs
quay.io:
    tls-verify: false
    images:
        coreos/etcd:
            - latest

If the yaml filename is sync.yml, sync run:

skopeo sync --src yaml --dest docker sync.yml my-registry.local.lan/repo/

This will copy the following images:

  • Repository registry.example.com/busybox: all images, as no tags are specified.
  • Repository registry.example.com/redis: images tagged "1.0" and "2.0".
  • Repository registry.example.com/nginx: images tagged "1.13.1-alpine-perl" and "1.13.2-alpine-perl".
  • Repository quay.io/coreos/etcd: images tagged "latest".

For the registry registry.example.com, the "john"/"this is a secret" credentials are used, with server TLS certificates located at /home/john/certs.

TLS verification is normally enabled, and it can be disabled setting tls-verify to false. In the above example, TLS verification is enabled for reigstry.example.com, while is disabled for quay.io.

SEE ALSO

skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5), containers-policy.json(5), containers-transports(5)

AUTHORS

Flavio Castelli fcastelli@suse.com, Marco Vedovati mvedovati@suse.com