Skopeo is a tool for manipulating, inspecting, signing, and transferring container images and image repositories on Linux® systems, Windows and MacOS. Like Podman and Buildah, Skopeo is an open source community-driven project that does not require running a container daemon.
With Skopeo, you can inspect images on a remote registry without having to download the entire image with all its layers, making it a lightweight and modular solution for working with container images across different formats, including Open Container Initiative (OCI) and Docker images.
A container image is a file with executable code that can be run in an isolated process. Container images consist of two parts:
The first part is one or more tar archives of the container’s file system. A tar archive is a collection of files and the file system directory contains all of the code and configuration files required to run an application.
The second part is JSON files which describe the application, provide configuration from the developer about how to run the container, transmit data between the application and the server, and store metadata about the individual components of the image and how to refer to them.
A container repository is a group of container images providing different versions of an application, and a container registry is a server providing access to images or the ability to upload new images.
Skopeo (Greek for "remote viewing") was the first container tool developed by Red Hat engineers alongside the open source community. Skopeo works with Podman and Buildah to manage OCI containers. Put simply, Podman runs containers, Buildah builds containers, and Skopeo transports containers –– among other things. Think of these tools as a swiss army knife for your container environment. Skopeo is a deft and versatile blade at your disposal.
Skopeo inspects images with the skopeo inspect command. Before Skopeo was released, to inspect an image, you had to pull the whole image, even if you only wanted to inspect some metadata. Skopeo’s inspect command shows image properties, including layers, image tags, and labels, so you don’t have to pull the image to the host. This allows you to gather information about a repository or a tag without using any of your capacity.
Skopeo also allows you to delete an image from a repository and sync an external image repository to an internal registry for more secure disconnected network (also known as air-gapped) deployments. When required by the repository, Skopeo can pass the appropriate credentials and certificates for authentication.
Skopeo sync allows direct registry-to-registry copies for on-line use as well as registry-to-files and files-to-registry for preparing disconnected environments. Unlike skopeo copy, which assumes that the requested copy requires action, skopeo sync is tuned to be faster on regular re-syncs of large repositories with few modifications. In addition to direct command-line use, the sync operation can be configured in a config file, and that allows only syncing a subset of tags from a large repository.
If your inspection indicates a need to copy a container image from one location or storage type to another, you can do it with the Skopeo copy command. The tool allows you to copy container images between registries like docker.io, quay.io, and your internal container registry or various storage mechanisms on your local system. Skopeo’s direct registry-to-registry copy is fast and preserves the unmodified form (and the image’s manifest digest) if the destination registry allows it. Copying images between registries does not require any local disk use or free space on a local disk. Skopeo also moves between container engine storage and even directories. It is frequently used in CI/CD systems to keep container registries up to date and maintain storage on container servers.
Skopeo is part of a modular suite of container tools which comes with many advantages. Introducing significant changes into a monolithic tool without breaking it for existing users can be a challenge. Smaller, more specialized tools such as Skopeo, Podman and Buildah can be evolved more quickly. Having a set of tools allows each tool to focus on a single purpose, and new tools can be added to increase functionality or to experiment with ideas and architectures that might be incompatible with existing tools. Smaller and more modular tools are also easier to secure.
Similar to the way parts of Podman’s functionality comes from the libpod library that allows code to be shared with other tools, Skopeo’s functionality is also implemented in a library. Skopeo’s containers/image library is shared by other container tools including Podman, Buildah, and CRI-O, and it is compatible with the Docker command line interface (CLI).
Security and accessibility
The main advantages of using Podman, Skopeo and Buildah together include:
- Rootless container management. Users can create, run, and manage containers without requiring processes with admin privileges, making your container environment more accessible while reducing security risks.
- Daemonless architecture. Daemons require administrative access (while also bypassing the need for admin verification) to read files, install programs, edit applications, and more. This makes daemons an ideal target for hackers who want to gain control of your containers and infiltrate the host system.
- Native systemd integration. Using Podman and associated container tools allows you to create systemd unit files and run containers as system services.
Kubernetes is an open source container orchestration platform that automates many of the manual processes involved in deploying, managing, and scaling containerized applications. If you run a CI/CD system inside of Kubernetes or use Red Hat OpenShift® to build your container images, you may need to distribute those images across different container registries. Skopeo is an ideal tool for such tasks.
High performance computing
Users running an older operating system on their host system may want to run Skopeo or other tools to take advantage of the latest features and updates. A common restriction in high performance computing (HPC) environments is that rootless users are not allowed to install packages on the host. With the increasing popularity of Podman in HPC, running the Skopeo container with Podman to perform specific tasks is just a few commands away, and users do not need root access.
Red Hat Enterprise Linux simplifies container development with fewer repositories and more developer tools. Container tools like Podman, Buildah, and Skopeo are included with a Red Hat Enterprise Linux subscription and form a strong base to support your container image and container needs. In addition to these tools, Red Hat provides base images to act as the foundation for your own images.
Run, build, and share container images with Red Hat Enterprise Linux command-line tools, the universal base image (UBI), the repository in Red Hat Quay, and the Supplemental repository, all of which lessen the complexity of developing containers.