Install Now
skopeo-sync - Synchronize images between registry repositories and local directories.
Contents
Description
Synchronize images between registry repositories and local directories. Synchronization is achieved by
copying all the images found at source to destination - useful when synchronizing a local container
registry mirror or for populating registries running inside of air-gapped environments.
Differently from other skopeo commands, skopeo sync requires both source and destination transports to be
specified separately from source and destination. One of the problems of prefixing a destination with
its transport is that, the registry docker://hostname:port would be wrongly interpreted as an image
reference at a non-fully qualified registry, with hostname and port the image name and tag.
Available source transports:
- docker (i.e. --srcdocker): source is a repository hosted on a container registry (e.g.:
registry.example.com/busybox).
If no image tag is specified, skopeo sync copies all the tags found in that repository.
- dir (i.e. --srcdir): source is a local directory path (e.g.: /media/usb/). Refer to skopeo(1)
dir:path for the local image format.
- yaml (i.e. --srcyaml): source is local YAML file path.
The YAML file should specify the list of images copied from different container registries (local
directories are not supported). Refer to EXAMPLES for the file format.
Available destination transports:
- docker (i.e. --destdocker): destination is a container registry (e.g.: my-registry.local.lan).
- dir (i.e. --destdir): destination is a local directory path (e.g.: /media/usb/).
One directory per source 'image:tag' is created for each copied image.
When the --scoped option is specified, images are prefixed with the source image path so that multiple
images with the same name can be stored at destination.
Examples
Synchronizingtoalocaldirectory
$ skopeo sync --src docker --dest dir registry.example.com/busybox /media/usb
Images are located at:
/media/usb/busybox:1-glibc
/media/usb/busybox:1-musl
/media/usb/busybox:1-ubuntu
/media/usb/busybox:latest
Synchronizingtoacontainerregistryfromlocal
Images are located at:
/media/usb/busybox:1-glibc
Sync run
$ skopeo sync --src dir --dest docker /media/usb/busybox:1-glibc my-registry.local.lan/test/
Destination registry content:
REPO TAGS
my-registry.local.lan/test/busybox 1-glibc
Synchronizingtoalocaldirectory,scoped
$ skopeo sync --src docker --dest dir --scoped registry.example.com/busybox /media/usb
Images are located at:
/media/usb/registry.example.com/busybox:1-glibc
/media/usb/registry.example.com/busybox:1-musl
/media/usb/registry.example.com/busybox:1-ubuntu
/media/usb/registry.example.com/busybox:latest
Synchronizingtoacontainerregistry
$ skopeo sync --src docker --dest docker registry.example.com/busybox my-registry.local.lan
Destination registry content:
REPO TAGS
registry.local.lan/busybox 1-glibc, 1-musl, 1-ubuntu, ..., latest
Synchronizingtoacontainerregistrykeepingtherepository
$ skopeo sync --src docker --dest docker registry.example.com/repo/busybox my-registry.local.lan/repo
Destination registry content:
REPO TAGS
registry.local.lan/repo/busybox 1-glibc, 1-musl, 1-ubuntu, ..., latest
Synchronizingtoacontainerregistrywithtagsuffix
$ skopeo sync --src docker --dest docker --append-suffix '-mirror' registry.example.com/busybox my-registry.local.lan
Destination registry content:
REPO TAGS
registry.local.lan/busybox 1-glibc-mirror, 1-musl-mirror, 1-ubuntu-mirror, ..., latest-mirror
YAMLfilecontent(usedsourcefor**--srcyaml**)
registry.example.com:
images:
busybox: []
redis:
- "1.0"
- "2.0"
- "sha256:0000000000000000000000000000000011111111111111111111111111111111"
images-by-tag-regex:
nginx: ^1\.13\.[12]-alpine-perl$
credentials:
username: john
password: this is a secret
tls-verify: true
cert-dir: /home/john/certs
quay.io:
tls-verify: false
images:
coreos/etcd:
- latest
If the yaml filename is sync.yml, sync run:
$ skopeo sync --src yaml --dest docker sync.yml my-registry.local.lan/repo/
This will copy the following images: - Repository registry.example.com/busybox: all images, as no tags
are specified. - Repository registry.example.com/redis: images tagged "1.0" and "2.0" along with image
with digest "sha256:0000000000000000000000000000000011111111111111111111111111111111". - Repository
registry.example.com/nginx: images tagged "1.13.1-alpine-perl" and "1.13.2-alpine-perl". - Repository
quay.io/coreos/etcd: images tagged "latest".
For the registry registry.example.com, the "john"/"this is a secret" credentials are used, with server
TLS certificates located at /home/john/certs.
TLS verification is normally enabled, and it can be disabled setting tls-verify to false. In the above
example, TLS verification is enabled for registry.example.com, while is disabled for quay.io.
Name
skopeo-sync - Synchronize images between registry repositories and local directories.
Options
See also skopeo(1) for options placed before the subcommand name.
--all, -a If one of the images in src refers to a list of images, instead of copying just the image which
matches the current OS and architecture (subject to the use of the global --override-os, --override-arch
and --override-variant options), attempt to copy all of the images in the list, and the list itself.
--authfilepath
Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json, which is set using
skopeologin. If the authorization state is not found there, $HOME/.docker/config.json is checked, which
is set using dockerlogin.
--src-authfilepath
Path of the authentication file for the source registry. Uses path given by --authfile, if not provided.
--dest-authfilepath
Path of the authentication file for the destination registry. Uses path given by --authfile, if not
provided.
--dry-run
Run the sync without actually copying data to the destination.
--src, -stransport Transport for the source repository.
--dest, -dtransport Destination transport.
--format, -fmanifest-type Manifest Type (oci, v2s1, or v2s2) to use when syncing image(s) to a
destination (default is manifest type of source, with fallbacks).
--help, -h
Print usage statement.
--scoped Prefix images with the source image path, so that multiple images with the same name can be
stored at destination.
--append-suffixtag-suffix String to append to destination tags.
--preserve-digests
Preserve the digests during copying. Fail if the digest cannot be preserved.
This option does not change what will be copied; consider using --all at the same time.
--remove-signatures Do not copy signatures, if any, from source-image. This is necessary when copying a
signed image to a destination which does not support signatures.
--sign-bykey-id
Add a “simple signing” signature using that key ID for an image name corresponding to destination-image--sign-by-sigstoreparam-file
Add a sigstore signature based on the options in the specified containers sigstore signing parameter
file, param-file. See containers-sigstore-signing-params.yaml(5) for details about the file format.
--sign-by-sigstore-private-keypath
Add a sigstore signature using a private key at path for an image name corresponding to destination-image--sign-passphrase-filepath
The passphare to use when signing with --sign-by or --sign-by-sigstore-private-key. Only the first line
will be read. A passphrase stored in a file is of questionable security if other users can read this
file. Do not use this option if at all avoidable.
--src-credsusername[:password] for accessing the source registry.
--dest-credsusername[:password] for accessing the destination registry.
--src-cert-dirpath Use certificates (*.crt, *.cert, *.key) at path to connect to the source registry or
daemon.
--src-no-creds Access the registry anonymously.
--src-tls-verify=bool Require HTTPS and verify certificates when talking to a container source registry
or daemon. Default to source registry entry in registry.conf setting.
--dest-cert-dirpath Use certificates (*.crt, *.cert, *.key) at path to connect to the destination
registry or daemon.
--dest-no-creds Access the registry anonymously.
--dest-tls-verify=bool Require HTTPS and verify certificates when talking to a container destination
registry or daemon. Default to destination registry entry in registry.conf setting.
--src-registry-tokenBearertoken for accessing the source registry.
--dest-registry-tokenBearertoken for accessing the destination registry.
--retry-times the number of times to retry, retry wait time will be exponentially increased based on the
number of failed attempts.
--keep-going If any errors occur during copying of images, those errors are logged and the process
continues syncing rest of the images and finally fails at the end.
--src-username
The username to access the source registry.
--src-password
The password to access the source registry.
--dest-username
The username to access the destination registry.
--dest-password
The password to access the destination registry.
See Also
skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5), containers-policy.json(5), containers-transports(5)
Synopsis
skopeosync [options] --src transport --dest transportsourcedestination
PNG Icons
