Recently, I spotted a question on a mailing list asking how to move container images from an internal/build registry to a production one. To put it another way: how would you copy images from registry A to registry B? I’m going to show you a really easy way to do this with Skopeo.
The first approach is simple, and it’s what most people would do:
Pull the image from internal.registry/myimage:latest
Tag the image with production.registry/myimage:v1.0
Push to production.registry/myimage:v1.0
This works reasonably well and many people are already used to doing it with the docker
command:
docker pull internal.registry/myimage:latest
docker tag internal.registry/myimage:latest production.registry/myimage:v1.0
docker push production.registry/myimage:v1.0
This approach has some downsides though:
- The user needs to have
docker
installed on the system. - The
docker
daemon needs to be started on the system. - The
docker
daemon runs with privileges.
This approach is quite heavy for a simple operation such as copying an image from one registry to another. Suppose that all you do on a system is copying an image from the internal/build registry to the production registry. Do you really need a fully privileged docker daemon up and using resources on your system?
Enter skopeo copy
Skopeo is a command line tool for working with remote image registries. Skopeo doesn’t require a daemon to be running while performing its operations. In particular, the handy skopeo
command called copy
will ease the whole image copy operation. Without further ado, you can copy an image from a registry to another simply by running:
skopeo copy docker://internal.registry/myimage:latest /
docker://production.registry/myimage:v1.0
The copy command will take care of copying the image from internal.registry
to production.registry
. Notice how the tagging operation went away by specifying the desired image name for the production registry directly in the command.
Say your production registry requires credentials to login in order to push the image, skopeo
can handle that as well:
skopeo copy --dest-creds prod_user:prod_pass docker://internal.registry/myimage:latest /
docker://production.registry/myimage:v1.0
The same goes for credentials for the source registry (internal.registry
) by using the --src-creds
flag.
Afterwards, on your production machine, you can simply pull the image with docker
:
$ docker pull production.registry/myimage:v1.0
想要利用红帽的通用基础镜像(UBI)做更多的事情吗?
Beyond remote registries
Now, skopeo copy
isn’t limited to remote containers registries. The image prefix docker://
from the above commands define the transport to be used when handling the image.
You may have guessed the docker://
transport is for remote docker registries, but there are others:
atomic
containers-storage
dir
docker
docker-daemon
docker-tar
oci
ostree
You can work with any of them, and use them to copy containers from one format to another.
Availability
Skopeo is open source software available on GitHub. It is also available in Red Hat Enterprise Linux as of version 7.2.6 in the Extras Channel and the rhel-tools
image.
In addition to copying images, Skopeo also lets you sign images, inspect images and more, all with a very small presence on your machine. You can find more information on skopeo
on the README.md
on GitHub and you can also refer to man skopeo
, skopeo -h
and skopeo copy -h
.
更多此类内容
产品
工具
试用购买与出售
沟通
关于红帽
我们是世界领先的企业开源解决方案供应商,提供包括 Linux、云、容器和 Kubernetes。我们致力于提供经过安全强化的解决方案,从核心数据中心到网络边缘,让企业能够更轻松地跨平台和环境运营。