Skopeo Copy to the Rescue

Recently, I spotted a question on a mailing list asking how to move container images from an internal/build registry to a production one. To put it another way: how would you copy images from registry A to registry B? I’m going to show you a really easy way to do this with skopeo.

The first approach is simple, and it’s what most people would do:

Pull the image from internal.registry/myimage:latest Tag the image with production.registry/myimage:v1.0 Push to production.registry/myimage:v1.0

This works reasonably well and many people are already used to doing it with the docker command:

docker pull internal.registry/myimage:latest
docker tag internal.registry/myimage:latest production.registry/myimage:v1.0
docker push production.registry/myimage:v1.0

This approach has some downsides though:

  • The user needs to have docker installed on the system.
  • The docker daemon needs to be started on the system.
  • The docker daemon runs with privileges.

This approach is quite heavy for a simple operation such as copying an image from one registry to another. Suppose that all you do on a system is copying an image from the internal/build registry to the production registry. Do you really need a fully privileged docker daemon up and using resources on your system?

Enter skopeo copy

Skopeo is a command line tool for working with remote image registries. Skopeo doesn’t require a daemon to be running while performing its operations. In particular, the handy skopeo command called copy will ease the whole image copy operation. Without further ado, you can copy an image from a registry to another simply by running:

skopeo copy docker://internal.registry/myimage:latest /
docker://production.registry/myimage:v1.0

The copy command will take care of copying the image from internal.registry to production.registry. Notice how the tagging operation went away by specifying the desired image name for the production registry directly in the command.

Say your production registry requires credentials to login in order to push the image, skopeo can handle that as well:

skopeo copy --dest-creds prod_user:prod_pass docker://internal.registry/myimage:latest /
docker://production.registry/myimage:v1.0

The same goes for credentials for the source registry (internal.registry) by using the --src-creds flag.

Afterwards, on your production machine, you can simply pull the image with docker:

$ docker pull production.registry/myimage:v1.0

Beyond remote registries

Now, skopeo copy isn’t limited to remote containers registries. The image prefix docker:// from the above commands define the transport to be used when handling the image.

You may have guessed the docker:// transport is for remote docker registries, but there are others:

  • atomic
  • containers-storage
  • dir
  • docker
  • docker-daemon
  • docker-tar
  • oci
  • ostree

You can work with any of them, and use them to copy containers from one format to another.

Availability

skopeo is open source software that is now available under the Project Atomic repositories on GitHub. It is also available in Red Hat Enterprise Linux as of version 7.2.6 in the Extras Channel, Atomic Host, and the rhel-tools image.

In addition to copying images, skopeo also lets you sign images, inspect images and more, all with a very small presence on your machine. You can find more information on skopeo on the README.md on GitHub and you can also refer to man skopeo, skopeo -h and skopeo copy -h.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s