LinuxCommandLibrary

crane-tag

Copy container images between registries

TLDR

Tag remote image

$ crane tag [image_name] [tag_name]
copy

Display help
$ crane tag [[-h|--help]]
copy

SYNOPSIS

crane tag [OPTIONS] <SOURCE> <DESTINATION>

PARAMETERS

--allow-nondistributable-artifacts
    Allow pushing nondistributable artifacts.
(default: false)

-h, --help
    Show help for tag

--insecure
    Use HTTP (insecure) for registry connections.
(default: false)

--platform stringArray
    Filter to specific platforms.
e.g., --platform linux/amd64,linux/arm64
(default: [linux/amd64])

--registry-mirror stringArray
    Prefer these mirrors for source image

--skip-verify
    Skip manifest signature verification.
(default: false)

DESCRIPTION

crane tag is a subcommand of the crane CLI, a fast and lightweight tool for working with OCI container registries without needing a daemon like Docker. It creates a new tag by copying the image manifest from a source reference to a destination reference, avoiding full layer downloads for efficiency.

This is ideal for CI/CD pipelines, retagging images across registries, or promoting images (e.g., from dev to prod). Crane fetches the source manifest, optionally verifies signatures, and pushes the new reference. It handles multi-platform images via --platform filtering.

Authentication uses standard Docker config (~/.docker/config.json), environment variables, or helpers. Public sources work without auth, but destinations require push permissions. Supports insecure registries and mirrors for flexibility.

Unlike heavier tools, crane is pure Go, portable, and OCI-native, ensuring compatibility with modern registries like Harbor, Quay, or Artifact Registry.

CAVEATS

Requires push access to destination repo.
Source must be reachable (auth if private).
No layer copying; only manifest retag.

EXAMPLES

crane tag alpine:3.18 myrepo/alpine:latest
Tag local public image to private repo.

crane tag --platform linux/arm64 ghcr.io/app:v1 prod/app:arm
Platform-specific tag.

crane tag --insecure oldreg/app:v1 newreg/app:v2
Cross-registry with insecure source.

AUTHENTICATION

Uses DOCKER_CONFIG or ~/.docker/config.json.
Supports auth helpers like docker-credential-....
Env vars: REGISTRY_USERNAME, REGISTRY_PASSWORD.

HISTORY

Part of sigs.k8s.io/crane from Kubernetes SIG-Image. Initial release ~2021, evolved for OCI v1.1 compliance and multi-arch support. Maintained by Google and community.

SEE ALSO

crane(1), docker tag(1), skopeo copy(1), regctl tag(1)

Copied to clipboard