Provided by: skopeo_1.4.1+ds1-1_amd64 
NAME
skopeo-copy - Copy an image (manifest, filesystem layers, signatures) from one location to
another.
SYNOPSIS
skopeo copy [options] source-image destination-image
DESCRIPTION
Copy an image (manifest, filesystem layers, signatures) from one location to another.
Uses the system's trust policy to validate images, rejects images not trusted by the
policy.
source-image use the "image name" format described above
destination-image use the "image name" format described above
source-image and destination-image are interpreted completely independently; e.g. the
destination name does not automatically inherit any parts of the source name.
OPTIONS
--additional-tag=strings
Additional tags (supports docker-archive).
--all, -a
If source-image refers to a list of images, instead of copying just the image which
matches the current OS and architecture (subject to the use of the global --override-os,
--override-arch and --override-variant options), attempt to copy all of the images in the
list, and the list itself.
--authfile path
Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json, which
is set using skopeo login. If the authorization state is not found there,
$HOME/.docker/config.json is checked, which is set using docker login.
Note: You can also override the default path of the authentication file by setting the
REGISTRY_AUTH_FILE environment variable. export REGISTRY_AUTH_FILE=path
--src-authfile path
Path of the authentication file for the source registry. Uses path given by --authfile, if
not provided.
--dest-authfile path
Path of the authentication file for the destination registry. Uses path given by
--authfile, if not provided.
--dest-shared-blob-dir directory
Directory to use to share blobs across OCI repositories.
--digestfile path
After copying the image, write the digest of the resulting image to the file.
--encrypt-layer ints
Experimental the 0-indexed layer indices, with support for negative indexing (e.g. 0 is
the first layer, -1 is the last layer)
--format, -f manifest-type
MANIFEST TYPE (oci, v2s1, or v2s2) to use in the destination (default is manifest type of
source, with fallbacks)
--help, -h
Print usage statement
--quiet, -q
Suppress output information when copying images.
--remove-signatures
Do not copy signatures, if any, from source-image. Necessary when copying a signed image
to a destination which does not support signatures.
--sign-by=key-id
Add a signature using that key ID for an image name corresponding to destination-image
--src-shared-blob-dir directory
Directory to use to share blobs across OCI repositories.
--encryption-key protocol:keyfile
Specifies the encryption protocol, which can be JWE (RFC7516), PGP (RFC4880), and PKCS7
(RFC2315) and the key material required for image encryption. For instance,
jwe:/path/to/key.pem or pgp:admin@example.com or pkcs7:/path/to/x509-file.
--decryption-key key[:passphrase]
Key to be used for decryption of images. Key can point to keys and/or certificates.
Decryption will be tried with all keys. If the key is protected by a passphrase, it is
required to be passed in the argument and omitted otherwise.
--src-creds username[:password]
Credentials for accessing the source registry.
--dest-compress bool-value
Compress tarball image layers when saving to directory using the 'dir' transport. (default
is same compression type as source).
--dest-decompress bool-value
Decompress tarball image layers when saving to directory using the 'dir' transport.
(default is same compression type as source).
--dest-oci-accept-uncompressed-layers bool-value
Allow uncompressed image layers when saving to an OCI image using the 'oci' transport.
(default is to compress things that aren't compressed).
--dest-creds username[:password]
Credentials for accessing the destination registry.
--src-cert-dir path
Use certificates at path (*.crt, *.cert, *.key) to connect to the source registry or
daemon.
--src-no-creds bool-value
Access the registry anonymously.
--src-tls-verify bool-value
Require HTTPS and verify certificates when talking to container source registry or daemon
(defaults to true).
--dest-cert-dir path
Use certificates at path (*.crt, *.cert, *.key) to connect to the destination registry or
daemon.
--dest-no-creds bool-value
Access the registry anonymously.
--dest-tls-verify bool-value
Require HTTPS and verify certificates when talking to container destination registry or
daemon (defaults to true).
--src-daemon-host host
Copy from docker daemon at host. If host starts with tcp://, HTTPS is enabled by default.
To use plain HTTP, use the form http:// (default is unix:///var/run/docker.sock).
--dest-daemon-host host
Copy to docker daemon at host. If host starts with tcp://, HTTPS is enabled by default. To
use plain HTTP, use the form http:// (default is unix:///var/run/docker.sock).
Existing signatures, if any, are preserved as well.
--dest-compress-format format
Specifies the compression format to use. Supported values are: gzip and zstd.
--dest-compress-level format
Specifies the compression level to use. The value is specific to the compression
algorithm used, e.g. for zstd the accepted values are in the range 1-20 (inclusive), while
for gzip it is 1-9 (inclusive).
--src-registry-token token
Bearer token for accessing the source registry.
--dest-registry-token token
Bearer token for accessing the destination registry.
--retry-times
The number of times to retry. Retry wait time will be exponentially increased based on the
number of failed attempts.
EXAMPLES
To just copy an image from one registry to another:
$ skopeo copy docker://quay.io/skopeo/stable:latest docker://registry.example.com/skopeo:latest
To copy the layers of the docker.io busybox image to a local directory:
$ mkdir -p /var/lib/images/busybox
$ skopeo copy docker://busybox:latest dir:/var/lib/images/busybox
$ ls /var/lib/images/busybox/*
/tmp/busybox/2b8fd9751c4c0f5dd266fcae00707e67a2545ef34f9a29354585f93dac906749.tar
/tmp/busybox/manifest.json
/tmp/busybox/8ddc19f16526912237dd8af81971d5e4dd0587907234be2b83e249518d5b673f.tar
To copy and sign an image:
# skopeo copy --sign-by dev@example.com containers-storage:example/busybox:streaming docker://example/busybox:gold
To encrypt an image:
skopeo copy docker://docker.io/library/nginx:1.17.8 oci:local_nginx:1.17.8
openssl genrsa -out private.key 1024
openssl rsa -in private.key -pubout > public.key
skopeo copy --encryption-key jwe:./public.key oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
To decrypt an image:
skopeo copy --decryption-key ./private.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
To copy encrypted image without decryption:
skopeo copy oci:try-encrypt:encrypted oci:try-encrypt-copy:encrypted
To decrypt an image that requires more than one key:
skopeo copy --decryption-key ./private1.key --decryption-key ./private2.key --decryption-key ./private3.key oci:try-encrypt:encrypted oci:try-decrypt:decrypted
Container images can also be partially encrypted by specifying the index of the layer.
Layers are 0-indexed indices, with support for negative indexing. i.e. 0 is the first
layer, -1 is the last layer.
Let's say out of 3 layers that the image docker.io/library/nginx:1.17.8 is made up of, we
only want to encrypt the 2nd layer,
skopeo copy --encryption-key jwe:./public.key --encrypt-layer 1 oci:local_nginx:1.17.8 oci:try-encrypt:encrypted
SEE ALSO
skopeo(1), skopeo-login(1), docker-login(1), containers-auth.json(5),
containers-policy.json(5), containers-transports(5), containers-signature(5)
AUTHORS
Antonio Murdaca runcom@redhat.com ⟨mailto:runcom@redhat.com⟩, Miloslav Trmac
mitr@redhat.com ⟨mailto:mitr@redhat.com⟩, Jhon Honce jhonce@redhat.com
⟨mailto:jhonce@redhat.com⟩
skopeo-copy(1)()