LinuxCommandLibrary

skopeo

Inspect, copy, and sign container images

TLDR

Inspect a remote image from a registry

$ skopeo inspect docker://[registry_hostname]/[image:tag]
copy

List available tags for a remote image
$ skopeo list-tags docker://[registry_hostname]/[image]
copy

Download an image from a registry
$ skopeo copy docker://[registry_hostname]/[image:tag] dir:[path/to/directory]
copy

Copy an image from one registry to another
$ skopeo copy docker://[source_registry]/[image:tag] docker://[destination_registry]/[image:tag]
copy

Delete an image from a registry
$ skopeo delete docker://[registry_hostname]/[image:tag]
copy

Log in to a registry
$ skopeo login --username [username] [registry_hostname]
copy

SYNOPSIS

skopeo [global options] command [command options]

PARAMETERS

--authfile *path*
    Path to the authentication file. Defaults to ${XDG_RUNTIME_DIR}/containers/auth.json.

--cert-dir *path*
    Path to a directory containing TLS certificates for verifying registry servers.

--debug
    Enable debug output.

--dest-creds *username[:password]*
    Credentials for accessing the destination registry.

--dest-tls-verify *bool*
    Require TLS verification for the destination registry (true/false). Defaults to true.

--digestfile *path*
    Write the digest of the pushed image to the specified file.

--help
    Display help information.

--insecure-policy
    Do not use the policy configuration for signature validation; accept any signature or no signature.

--no-signature-verification
    Disable signature verification.

--policy *path*
    Path to the signature policy file.

--remove-signatures
    Remove any existing signatures before signing.

--retry-times *integer*
    The number of times to retry. If not specified, the default is 0.

--shared-blob-dir *path*
    Directory for shared blobs. Improves cross-repository deduplication.

--src-creds *username[:password]*
    Credentials for accessing the source registry.

--src-tls-verify *bool*
    Require TLS verification for the source registry (true/false). Defaults to true.

DESCRIPTION

skopeo is a command-line utility that performs various operations on container images and image repositories. Unlike Docker, skopeo does not require a daemon to be running and does not require root privileges in many cases. It primarily focuses on inspecting, copying, deleting, and signing container images and is useful for working with images without needing a full container runtime.

skopeo supports a wide range of image storage formats, including Docker registries, local directories, and container image archives (such as OCI and Docker). It's commonly used for transferring images between different registries, verifying signatures, and inspecting image manifests. Its daemon-less nature makes it an excellent tool for automated CI/CD pipelines and security-sensitive environments.

CAVEATS

skopeo relies on configuration files for container image signing and verification. Ensure that the policy.json file is correctly configured for your environment. Some operations may require appropriate permissions depending on the container registry and storage configurations.

IMAGE NAMES

skopeo uses image names that specify the transport and location of the image. Examples include: docker://docker.io/library/ubuntu:latest, oci:path/to/oci/image, dir:/path/to/directory.

COMMON SUBCOMMANDS

Common subcommands include: copy (copy images between different storage types), inspect (display image information), sync (synchronize images between repositories), delete (delete images from a registry), and sign/verify (sign and verify image signatures).

HISTORY

skopeo was developed as part of the containers/skopeo project and has been actively maintained to provide a standalone, daemon-less tool for working with container images. It has gained popularity as part of the broader container ecosystem, complementing tools like Podman and Buildah.

SEE ALSO

podman(1), docker(1), buildah(1)

Copied to clipboard