LinuxCommandLibrary

crane-pull

Download container images from a registry

TLDR

Pull remote image

$ crane pull [image_name] [path/to/tarball]
copy

Preserve image reference used to pull as an annotation when used with --format=oci
$ crane pull [image_name] [path/to/tarball] --annotate-ref
copy

Path to cache image layers
$ crane pull [image_name] [path/to/tarball] [[-c|--cache_path]] [path/to/cache]
copy

Format in which to save images (default tarball)
$ crane pull [image_name] [path/to/tarball] [-format] [format_name]
copy

Display help
$ crane pull [[-h|--help]]
copy

SYNOPSIS

crane pull [OPTIONS] IMAGE [DEST]

PARAMETERS

-p, --platform stringArray
    Platform in form os[/arch[/variant]] (default [linux/amd64])

--all-platforms
    Pull all available platforms

--cmd
    Pull only cmd.json

--config
    Pull only config.json

--index
    Pull only index.json

--layer
    Pull specific layer by digest

--insecure
    Allow HTTP repositories (insecure)

--pull-from-cache
    Use crane cache if available

--registry-mirror string
    Pull via specified registry mirror

--quiet
    Suppress progress output

DESCRIPTION

The crane pull command is part of the crane CLI tool, a fast, all-static binary for interacting with OCI (Open Container Initiative) images and artifacts. It downloads container images from remote registries to a local tar file or directory, without requiring a container runtime like Docker or Podman.

Unlike traditional tools, crane operates daemonlessly, making it lightweight and portable. It supports pulling specific layers, configs, or entire multi-platform images. Ideal for CI/CD pipelines, air-gapped environments, or anywhere minimal footprint is needed.

By default, it fetches the linux/amd64 platform variant and saves to IMAGE.tar. Use flags to customize platforms, suppress output, or pull from mirrors. Crane verifies image integrity using digests and handles authentication via standard mechanisms.

This command excels in speed due to optimized HTTP/2 transport and caching options, outperforming heavier alternatives for simple pull operations.

CAVEATS

Does not unpack or run images; outputs tarballs. Requires network access unless cached. Authentication via DOCKER_CONFIG or flags.

ALIASES

Supports cp as alias for quick copies.
Aliases: pull, cp

OUTPUT

DEST as directory unpacks image; tar by default. IMAGE is registry reference or digest.

HISTORY

Developed by Google in go-containerregistry project (2019+); evolved for OCI compliance and multi-arch support. Widely used in Kubernetes ecosystem.

SEE ALSO

docker-pull(1), skopeo-copy(1), img-pull(1)

Copied to clipboard