We are thrilled to announce that Skopeo 1.0 has been released.
I often talk about all of the new container tools that we have developed over the last few years, and often skim over Skopeo. But Skopeo was the first one, and really has some cool features.
Skopeo is a tool for moving container images between different types of container storages. It allows you to copy container images between container registries like docker.io, quay.io, and your internal container registry or different types of storage on your local system. You can copy to a local container/storage repository, even directly into a Docker daemon.

One of the best things about Skopeo is you don’t have to be root to execute it, and you don’t need to store the images locally if you are just copying from one container registry to another. Skopeo does not require a daemon to be running to perform its operations. I believe it is a much better solution than having to run podman pull IMAGE; podman push IMAGE
.
Skopeo is being used all over the world to move container images. It is used in CI/CD systems to keep container registries up to date, as well as loading up container storage for all different kinds of container servers.
History
Skopeo was originally a side project that Red Hat’s Antonio Murdaca started to view the container image JSON file stored on a container registry. Container images, whether they are Open Container Initiative (OCI) images or Docker images consist of two parts. One part is a tarball of the `rootfs` directory. This directory, which tends to look like the root file system on the linux operating system, contains all of the code and configuration files required to run an application.
The second part is a JSON file which describes the application, this is the input from the developer of the container image, how he expects the container to be run. It includes the entrypoint and cmd describing the path to the executable to start the container. It also includes content like environment variables and working directory. Basically, all of those extra fields people see in the Dockerfile definitions. These fields are not standardized as part of the OCI Image Specification.
These image tarballs can get very large, I have seen multi-gigabyte images. The problem was that if you wanted to view the image specification JSON file, the only way to do this was to do a `docker pull IMAGE; docker inspect IMAGE`. A few years ago we opened a pull request with the upstream Docker project to do a `docker inspect --remote IMAGE`, the request was rejected, because the maintainers did not want to complicate the Docker CLI. But we were told that container registries were just web servers, and we should build our own tool to pull down the JSON file. Antonio created that tool and called it Skopeo which is the Greek word for remote viewing.
Antonio figured if he was going to pull the image specification, he might as well pull the image. Once he pulled the image he figured he could push the image, and Skopeo developed into a tool that can copy container images between all different types of container storage.
Red Hat was working with CoreOS before the companies merged, and CoreOS wanted to use Skopeo to copy images to their hosts for use with their container engine rkt
. But the CoreOS developers did not want to exec out to Skopeo, they wanted to call into a golang library. This led us to split Skopeo into a command line tool and a separate library github.com/containers/image. This library is now shared by many other container engines including Podman, Buildah, CRI-O.
USAGE
$ skopeo --help Various operations with container images and container image registries Usage: skopeo [command] Available Commands: copy Copy an IMAGE-NAME from one location to another delete Delete image IMAGE-NAME help Help about any command inspect Inspect image IMAGE-NAME list-tags List tags in the transport/repository specified by the REPOSITORY-NAME login Login to a container registry logout Logout of a container registry manifest-digest Compute a manifest digest of a file standalone-sign Create a signature using local files standalone-verify Verify a signature using local files sync Synchronize one or more images from one location to another
Skopeo operates on the following image and repository types:
-
Container Registries:
An image in a registry implementing the "Docker Registry HTTP API V2". docker://docker-reference. Authorization state is stored in $XDG_RUNTIME_DIR/containers/auth.json
, which is set using (skopeo login).
-
Container Storage
An image located in a local containers/storage image store. Location and image store specified in /etc/containers/storage.conf
.
-
Local file system
An existing local directory path storing the manifest, layer tarballs and signatures as individual files. This is a non-standardized format, primarily useful for debugging or noninvasive container inspection.
-
Docker Archive
An image is stored in the docker save formatted file. docker-reference is only used when creating such a file, and it must not contain a digest.
-
Docker Daemon
An image docker-reference stored in the docker daemon internal storage. docker-reference must contain either a tag or a digest. Alternatively, when reading images, the format can also be docker-daemon:algo:digest (an image ID).
-
Local directory with OCI formatting
An image tag in a directory compliant with "Open Container Image Layout Specification" at path.
Examples
Inspecting a repository
Examples:
$ skopeo inspect --config docker://quay.io/podman/stable | json_pp { "architecture" : "amd64", "config" : { "Cmd" : [ "/bin/bash" ], "Env" : [ "DISTTAG=f32container", "FGC=f32", "container=oci", "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "_CONTAINERS_USERNS_CONFIGURED=" ], "Labels" : { "license" : "MIT", "name" : "fedora", "vendor" : "Fedora Project", "version" : "32" } }, "created" : "2020-05-03T12:27:03.990489916Z", "history" : [ ... ], "os" : "linux", "rootfs" : { "diff_ids" : [ "sha256:a4c0fa2b217d3fd63d51e55a6fd59432e543d499c0df2b1acd48fbe424f2ddd1", "sha256:120e15c4fd15cb42f0fc028a5105f3923b928c3cb766afc6cbc2c14a78b49387", "sha256:f100a96598ff0e42eede39a8cd57ff85c3478f942074216572b01d1d614fc083", "sha256:dbb194061737e6970cc735cee0b2353d541f51fe12a69cffb3827cce4cdf5c25", "sha256:8dc1236d8bfbd7be7b8bf04677f5dd20fa41bbe6bd98688408071b1d4ec3ecf7" ], "type" : "layers" } }
Copying images
Skopeo can copy container images between various storage mechanisms:
$ skopeo copy docker://registry.access.redhat.com/ubi8-init docker://reg.company.com/ubi-init Getting image source signatures Copying blob 58e1deb9693d done Copying blob f544909c6b5a done Copying blob 78afc5364ad2 done Copying config a858c9c7ea done Writing manifest to image destination Storing signatures a858c9c7ea130b17bad01c858a20f4392085bcc0f25aa5eeee4b16726bed5bab $ skopeo copy docker://registry.fedoraproject.org/fedora:latest containers-storage:fedora Getting image source signatures Copying blob 3088721d7dbf done Copying config d81c91deec done Writing manifest to image destination Storing signatures
Deleting images from a registry
For example,
$ skopeo delete docker://localhost:5000/imagename:latest
Conclusion
Skopeo is a great lightweight tool to help users and administrators maintain their container image infrastructure. Although it has not received the attention that it probably deserves, Skopeo is a really terrific tool to have in your own toolbox.
The upstream release is now available, we expect to see Skopeo 1.0 in the Red Hat Enterprise Linux 8.3 release.
Red Hat의 UBI(Universal Base Image)를 활용해서 작업 효율성을 개선하세요
저자 소개
Daniel Walsh has worked in the computer security field for over 30 years. Dan is a Senior Distinguished Engineer at Red Hat. He joined Red Hat in August 2001. Dan leads the Red Hat Container Engineering team since August 2013, but has been working on container technology for several years.
Dan helped developed sVirt, Secure Virtualization as well as the SELinux Sandbox back in RHEL6 an early desktop container tool. Previously, Dan worked Netect/Bindview's on Vulnerability Assessment Products and at Digital Equipment Corporation working on the Athena Project, AltaVista Firewall/Tunnel (VPN) Products. Dan has a BA in Mathematics from the College of the Holy Cross and a MS in Computer Science from Worcester Polytechnic Institute.
채널별 검색
오토메이션
기술, 팀, 인프라를 위한 IT 자동화 최신 동향
인공지능
고객이 어디서나 AI 워크로드를 실행할 수 있도록 지원하는 플랫폼 업데이트
오픈 하이브리드 클라우드
하이브리드 클라우드로 더욱 유연한 미래를 구축하는 방법을 알아보세요
보안
환경과 기술 전반에 걸쳐 리스크를 감소하는 방법에 대한 최신 정보
엣지 컴퓨팅
엣지에서의 운영을 단순화하는 플랫폼 업데이트
인프라
세계적으로 인정받은 기업용 Linux 플랫폼에 대한 최신 정보
애플리케이션
복잡한 애플리케이션에 대한 솔루션 더 보기
오리지널 쇼
엔터프라이즈 기술 분야의 제작자와 리더가 전하는 흥미로운 스토리
제품
- Red Hat Enterprise Linux
- Red Hat OpenShift Enterprise
- Red Hat Ansible Automation Platform
- 클라우드 서비스
- 모든 제품 보기
툴
체험, 구매 & 영업
커뮤니케이션
Red Hat 소개
Red Hat은 Linux, 클라우드, 컨테이너, 쿠버네티스 등을 포함한 글로벌 엔터프라이즈 오픈소스 솔루션 공급업체입니다. Red Hat은 코어 데이터센터에서 네트워크 엣지에 이르기까지 다양한 플랫폼과 환경에서 기업의 업무 편의성을 높여 주는 강화된 기능의 솔루션을 제공합니다.