Recently, I spotted a question on a mailing list asking how to move container images from an internal/build registry to a production one. To put it another way: how would you copy images from registry A to registry B? I’m going to show you a really easy way to do this with skopeo.
The first approach is simple, and it’s what most people would do:
Pull the image from
internal.registry/myimage:latest Tag the image with
production.registry/myimage:v1.0 Push to
This works reasonably well and many people are already used to doing it with the
docker pull internal.registry/myimage:latest
docker tag internal.registry/myimage:latest production.registry/myimage:v1.0
docker push production.registry/myimage:v1.0
This approach has some downsides though:
- The user needs to have
dockerinstalled on the system.
dockerdaemon needs to be started on the system.
dockerdaemon runs with privileges.
This approach is quite heavy for a simple operation such as copying an image from one registry to another. Suppose that all you do on a system is copying an image from the internal/build registry to the production registry. Do you really need a fully privileged docker daemon up and using resources on your system?
Skopeo is a command line tool for working with remote image registries. Skopeo doesn’t require a daemon to be running while performing its operations. In particular, the handy
skopeo command called
copy will ease the whole image copy operation. Without further ado, you can copy an image from a registry to another simply by running:
skopeo copy docker://internal.registry/myimage:latest / docker://production.registry/myimage:v1.0
The copy command will take care of copying the image from
production.registry. Notice how the tagging operation went away by specifying the desired image name for the production registry directly in the command.
Say your production registry requires credentials to login in order to push the image,
skopeo can handle that as well:
skopeo copy --dest-creds prod_user:prod_pass docker://internal.registry/myimage:latest / docker://production.registry/myimage:v1.0
The same goes for credentials for the source registry (
internal.registry) by using the
Afterwards, on your production machine, you can simply pull the image with
$ docker pull production.registry/myimage:v1.0
Beyond remote registries
skopeo copy isn’t limited to remote containers registries. The image prefix
docker:// from the above commands define the transport to be used when handling the image.
You may have guessed the
docker:// transport is for remote docker registries, but there are others:
You can work with any of them, and use them to copy containers from one format to another.
skopeo is open source software that is now available under the Project Atomic repositories on GitHub. It is also available in Red Hat Enterprise Linux as of version 7.2.6 in the Extras Channel, Atomic Host, and the
In addition to copying images, skopeo also lets you sign images, inspect images and more, all with a very small presence on your machine. You can find more information on
skopeo on the
README.md on GitHub and you can also refer to
skopeo -h and
skopeo copy -h.
About the author
Joe Brockmeier is the editorial director of the Red Hat Blog. He joined Red Hat in 2013 as part of the Open Source and Standards (OSAS) group, now the Open Source Program Office (OSPO). Prior to Red Hat, Brockmeier worked for Citrix on the Apache OpenStack project, and was the first OpenSUSE community manager for Novell between 2008-2010.