.nh .TH skopeo\-copy(1) .SH NAME .PP skopeo\-copy \- Copy an image (manifest, filesystem layers, signatures) from one location to another. .SH SYNOPSIS .PP \fBskopeo copy\fP [\fB\-\-sign\-by=\fP\fIkey\-ID\fP] \fIsource\-image destination\-image\fP .SH DESCRIPTION .PP Copy an image (manifest, filesystem layers, signatures) from one location to another. .PP Uses the system's trust policy to validate images, rejects images not trusted by the policy. .PP \fIsource\-image\fP use the "image name" format described above .PP \fIdestination\-image\fP use the "image name" format described above .PP \fIsource\-image\fP and \fIdestination\-image\fP are interpreted completely independently; e.g. the destination name does not automatically inherit any parts of the source name. .SH OPTIONS .PP \fB\-\-all\fP .PP If \fIsource\-image\fP refers to a list of images, instead of copying just the image which matches the current OS and architecture (subject to the use of the global \-\-override\-os, \-\-override\-arch and \-\-override\-variant options), attempt to copy all of the images in the list, and the list itself. .PP \fB\-\-authfile\fP \fIpath\fP .PP Path of the authentication file. Default is ${XDG\_RUNTIME\_DIR}/containers/auth.json, which is set using \fB\fCskopeo login\fR\&. If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using \fB\fCdocker login\fR\&. .PP Note: You can also override the default path of the authentication file by setting the REGISTRY\_AUTH\_FILE environment variable. \fB\fCexport REGISTRY\_AUTH\_FILE=path\fR .PP \fB\-\-src\-authfile\fP \fIpath\fP .PP Path of the authentication file for the source registry. Uses path given by \fB\fC\-\-authfile\fR, if not provided. .PP \fB\-\-dest\-authfile\fP \fIpath\fP .PP Path of the authentication file for the destination registry. Uses path given by \fB\fC\-\-authfile\fR, if not provided. .PP \fB\-\-format, \-f\fP \fImanifest\-type\fP Manifest type (oci, v2s1, or v2s2) to use when saving image to directory using the 'dir:' transport (default is manifest type of source) .PP \fB\-\-quiet, \-q\fP suppress output information when copying images .PP \fB\-\-remove\-signatures\fP do not copy signatures, if any, from \fIsource\-image\fP\&. Necessary when copying a signed image to a destination which does not support signatures. .PP \fB\-\-sign\-by=\fP\fIkey\-id\fP add a signature using that key ID for an image name corresponding to \fIdestination\-image\fP .PP \fB\-\-encryption\-key\fP \fIprotocol:keyfile\fP specifies the encryption protocol, which can be JWE (RFC7516), PGP (RFC4880), and PKCS7 (RFC2315) and the key material required for image encryption. For instance, jwe:/path/to/key.pem or pgp:admin@example.com or pkcs7:/path/to/x509\-file. .PP \fB\-\-decryption\-key\fP \fIkey[:passphrase]\fP to be used for decryption of images. Key can point to keys and/or certificates. Decryption will be tried with all keys. If the key is protected by a passphrase, it is required to be passed in the argument and omitted otherwise. .PP \fB\-\-src\-creds\fP \fIusername[:password]\fP for accessing the source registry. .PP \fB\-\-dest\-compress\fP \fIbool\-value\fP Compress tarball image layers when saving to directory using the 'dir' transport. (default is same compression type as source). .PP \fB\-\-dest\-oci\-accept\-uncompressed\-layers\fP \fIbool\-value\fP Allow uncompressed image layers when saving to an OCI image using the 'oci' transport. (default is to compress things that aren't compressed). .PP \fB\-\-dest\-creds\fP \fIusername[:password]\fP for accessing the destination registry. .PP \fB\-\-src\-cert\-dir\fP \fIpath\fP Use certificates at \fIpath\fP (*.crt, *.cert, *.key) to connect to the source registry or daemon. .PP \fB\-\-src\-no\-creds\fP \fIbool\-value\fP Access the registry anonymously. .PP \fB\-\-src\-tls\-verify\fP \fIbool\-value\fP Require HTTPS and verify certificates when talking to container source registry or daemon (defaults to true). .PP \fB\-\-dest\-cert\-dir\fP \fIpath\fP Use certificates at \fIpath\fP (*.crt, *.cert, *.key) to connect to the destination registry or daemon. .PP \fB\-\-dest\-no\-creds\fP \fIbool\-value\fP Access the registry anonymously. .PP \fB\-\-dest\-tls\-verify\fP \fIbool\-value\fP Require HTTPS and verify certificates when talking to container destination registry or daemon (defaults to true). .PP \fB\-\-src\-daemon\-host\fP \fIhost\fP Copy from docker daemon at \fIhost\fP\&. If \fIhost\fP starts with \fB\fCtcp://\fR, HTTPS is enabled by default. To use plain HTTP, use the form \fB\fChttp://\fR (default is \fB\fCunix:///var/run/docker.sock\fR). .PP \fB\-\-dest\-daemon\-host\fP \fIhost\fP Copy to docker daemon at \fIhost\fP\&. If \fIhost\fP starts with \fB\fCtcp://\fR, HTTPS is enabled by default. To use plain HTTP, use the form \fB\fChttp://\fR (default is \fB\fCunix:///var/run/docker.sock\fR). .PP Existing signatures, if any, are preserved as well. .PP \fB\-\-dest\-compress\-format\fP \fIformat\fP Specifies the compression format to use. Supported values are: \fB\fCgzip\fR and \fB\fCzstd\fR\&. .PP \fB\-\-dest\-compress\-level\fP \fIformat\fP Specifies the compression level to use. The value is specific to the compression algorithm used, e.g. for zstd the accepted values are in the range 1\-20 (inclusive), while for gzip it is 1\-9 (inclusive). .PP \fB\-\-src\-registry\-token\fP \fIBearer token\fP for accessing the source registry. .PP \fB\-\-dest\-registry\-token\fP \fIBearer token\fP for accessing the destination registry. .SH EXAMPLES .PP To just copy an image from one registry to another: .PP .RS .nf $ skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest .fi .RE .PP To copy the layers of the docker.io busybox image to a local directory: .PP .RS .nf $ mkdir \-p /var/lib/images/busybox $ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox $ ls /var/lib/images/busybox/* /tmp/busybox/2b8fd9751c4c0f5dd266fcae00707e67a2545ef34f9a29354585f93dac906749.tar /tmp/busybox/manifest.json /tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar .fi .RE .PP To copy and sign an image: .PP .RS .nf # skopeo copy \-\-sign\-by dev@example.com containers\-storage:example/busybox:streaming docker://example/busybox:gold .fi .RE .PP To encrypt an image: .PP .RS .nf skopeo copy docker://docker.io/library/nginx:1.17.8 oci:local\_nginx:1.17.8 openssl genrsa \-out private.key 1024 openssl rsa \-in private.key \-pubout > public.key skopeo copy \-\-encryption\-key jwe:./public.key oci:local\_nginx:1.17.8 oci:try\-encrypt:encrypted .fi .RE .PP To decrypt an image: .PP .RS .nf skopeo copy \-\-decryption\-key ./private.key oci:try\-encrypt:encrypted oci:try\-decrypt:decrypted .fi .RE .PP To copy encrypted image without decryption: .PP .RS .nf skopeo copy oci:try\-encrypt:encrypted oci:try\-encrypt\-copy:encrypted .fi .RE .PP To decrypt an image that requires more than one key: .PP .RS .nf skopeo copy \-\-decryption\-key ./private1.key \-\-decryption\-key ./private2.key \-\-decryption\-key ./private3.key oci:try\-encrypt:encrypted oci:try\-decrypt:decrypted .fi .RE .PP Container images can also be partially encrypted by specifying the index of the layer. Layers are 0\-indexed indices, with support for negative indexing. i.e. 0 is the first layer, \-1 is the last layer. .PP Let's say out of 3 layers that the image \fB\fCdocker.io/library/nginx:1.17.8\fR is made up of, we only want to encrypt the 2nd layer, .PP .RS .nf skopeo copy \-\-encryption\-key jwe:./public.key \-\-encrypt\-layer 1 oci:local\_nginx:1.17.8 oci:try\-encrypt:encrypted .fi .RE .SH SEE ALSO .PP skopeo(1), skopeo\-login(1), docker\-login(1), containers\-auth.json(5), containers\-policy.json(5), containers\-transports(5) .SH AUTHORS .PP Antonio Murdaca runcom@redhat.com \[la]mailto:runcom@redhat.com\[ra], Miloslav Trmac mitr@redhat.com \[la]mailto:mitr@redhat.com\[ra], Jhon Honce jhonce@redhat.com \[la]mailto:jhonce@redhat.com\[ra]