Moving containers from docker.io to quay.io

Thanks to Skopeo, we can easily copy container images from one registry to another. In this article, we’ll copy images from docker.io to quay.io, a container registry that has a lot of features that docker.io doesn’t provide. The first feature that I really like is the ability to list and manage image vulnerabilities and other security information. The second is the ability to manage image manifests.

I wrote a small script that one can use to automate image copying. Before running the script, do the following:

1. Get an OAuth token from https://quay.io/organization/[your-org]?tab=applications.
2. Change the token, namespace, containers, and tag (if needed).
3. If your docker.io registry requires authentication, run podman login docker.io ( the –src-creds option can also be used with Skopeo).
4. Authenticate against your quay.io registry with podman login quay.io (the –dest-creds option can also be used with Skopeo).

Here is the script:

#!/bin/sh
set -ex

# get OAuth token from https://quay.io/organization/[your-org]?tab=applications
token='secrete'
namespace=yourorg
containers='app1 app2'
tag=latest

retry() {
    local -r -i max_attempts="$1"; shift
    local -r cmd="$@"
    local -i attempt_num=1
    until $cmd
    do
        if ((attempt_num==max_attempts))
        then
            echo "Attempt $attempt_num failed and there are no more attempts left!"
            return 1
        else
            echo "Attempt $attempt_num failed! Trying again in $attempt_num seconds..."
            sleep $((attempt_num++))
        fi
    done
}

for container in $containers; do
    # create empty public repo first otherwise skopeo will create the image as private
    curl -X POST https://quay.io/api/v1/repository \
        -d '{"namespace":"'$namespace'","repository":"'$container'","description":"Container image '$container'","visibility":"public"}' \
        -H 'Authorization: Bearer '$token'' -H "Content-Type: application/json"
    # workaround if quay.io returns 500 error, likely due to an internal bug when using skopeo against docker.io
    copy="skopeo copy docker://docker.io/$namespace/$container:$tag docker://quay.io/$namespace/$container:$tag"
    retry 5 $copy
done

As you can see, there are two unusual things in this script. First, the curl command creates an empty public image; otherwise, quay.io would create a private image by default when copying the image with Skopeo. As far as I know, there is no option in quay.io to change the default policy. Of course, you can remove it if you don’t want your image to be public by default.

Second, the retry mechanism works around the 500 error that tells you that the repository already exists when Skopeo provisions a new repository (which sounds specific to how the registry receives authentication from Skopeo vs. Docker CLI).

For more information, check out the quay.io documentation.

Enjoy Skopeo and quay.io!

This article was originally posted on /home/emilien.