LinuxCommandLibrary

crane-push

Push container images to a registry

TLDR

Push local image to remote registry

$ crane push [path/to/tarball] [image_name]
copy

Path to file with list of published image references
$ crane push [path/to/tarball] [image_name] --image-refs [path/to/file]
copy

Push a collection of images as a single index (required if path has multiple images)
$ crane push [path/to/tarball] [image_name] --index
copy

Display help
$ crane push [[-h|--help]]
copy

SYNOPSIS

crane push [OPTIONS] <SOURCE TARGET>

PARAMETERS

--all-platforms
    Push all platforms from source manifest list (cannot use with --platform)

--expected-digest <DIGEST>
    Fail push unless TARGET matches the specified digest

--max-retries <INT>
    Maximum HTTP request retries (default: 5)

--platform <PLATFORM[,...]>
    Push only specified platforms (e.g., linux/amd64,linux/arm64)

--registry-mirror-url <URL>
    Use registry mirror base URL for requests

-s, --source
    Read image source from stdin instead of file

--timeout <DURATION>
    HTTP request timeout (default: 1m0s)

DESCRIPTION

The crane push command uploads OCI-compliant container images, manifest lists, or non-distributable blobs to a remote container registry. It operates directly on local image archives (tarballs or directories) without requiring a container runtime or daemon, making it ideal for lightweight CI/CD workflows, air-gapped environments, and scripting.

SOURCE can be a local tarball, directory, oci-layout directory, or stdin stream. TARGET specifies the registry reference (e.g., ghcr.io/user/image:tag). Supports single-platform pushes, multi-platform manifest lists via --all-platforms, and selective platforms with --platform. Authentication uses standard mechanisms like ~/.docker/config.json. Features include configurable retries, timeouts, registry mirrors, and digest verification for security.

Unlike daemon-based tools like Docker, crane is fast, portable (single binary), and focused on registry interactions.

CAVEATS

Requires write access to TARGET registry; private registries need auth config. Does not handle image building—use with tools like docker buildx or img. Multi-arch pushes require pre-built manifest lists.

EXAMPLES

crane push myimage.tar ghcr.io/user/app:v1
crane push --platform linux/arm64 image.tar registry/img:latest
echo tarball | crane push -s --expected-digest sha256:abc... repo/image

AUTH SETUP

Uses ~/.docker/config.json for credentials. Run crane auth login REGISTRY for interactive login.

HISTORY

Developed by Jason Hall (imjasonh) in 2021 as a minimal OCI image tool, inspired by skopeo. Integrated into sigstore/cosign ecosystem for signing workflows. Actively maintained with Go, supporting OCI 1.0+ specs.

SEE ALSO

crane(1), skopeo(1), regctl(1), docker-push(1)

Copied to clipboard