skopeo是一个命令行应用程序,它对容器镜像和镜像存储库执行各种操作。
skopeo可以操作OCI镜像以及原始的Docker v2镜像。
Skopeo使用API V2注册表,例如Docker注册表,Atomic注册表,私有注册表,本地目录和本地OCI布局目录。 Skopeo不需要运行守护进程来执行这些操作,包括:
Skopeo对以下类型的镜像和存储库进行操作:
containers-storage:docker-reference。位于本地容器/存储镜像存储中的镜像。在/etc/containers/storage.conf中指定的位置和镜像存储
dir:path一个现有的本地目录路径,它将manifest,镜像层tarball和signatures存储为单个文件。这是一种非标准化格式,主要用于调试或非侵入式容器检查。
docker://docker-reference。实现“Docker Registry HTTP API V2”的注册表中的镜像。默认情况下,使用$HOME/.docker/config.json中的授权状态,例如,设置为使用(docker login)。
docker-archive:path [:docker-reference]。镜像存储在docker save formated file中。 docker-reference仅在创建此类文件时使用,并且不得包含digest。
docker-daemon:docker-reference。存储在docker守护程序内部存储中的镜像。 docker-reference必须包含tag或digest。或者,在读取镜像时,格式也可以是docker-daemon:algo:digest(image ID)。
oci:path:tag。路径中符合“Open Container Image Layout Specification”的目录中的镜像标记。
ostree:image / absolute / repo / path。本地OSTree存储库中的镜像。 /absolute/repo/path默认为/ostree/repo。
skopeo能够检查Docker注册表上的存储库并获取镜像层。 inspect命令获取存储库的清单,它能够显示有关整个存储库或标记的docker inspect-like json输出。 与docker inspect相比,此工具可帮助您在提取存储库或标记之前收集有用的信息(使用磁盘空间)。 inspect命令可以显示给定存储库可用的标记,图像的标签,图像的创建日期和操作系统等。
# show properties of fedora:latest
$ skopeo inspect docker://docker.io/fedora
{
"Name": "docker.io/library/fedora",
"Tag": "latest",
"Digest": "sha256:cfd8f071bf8da7a466748f522406f7ae5908d002af1b1a1c0dcf893e183e5b32",
"RepoTags": [
"20",
"21",
"22",
"23",
"heisenbug",
"latest",
"rawhide"
],
"Created": "2016-03-04T18:40:02.92155334Z",
"DockerVersion": "1.9.1",
"Labels": {},
"Architecture": "amd64",
"Os": "linux",
"Layers": [
"sha256:236608c7b546e2f4e7223526c74fc71470ba06d46ec82aeb402e704bfdee02a2",
"sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
]
}
# show unverifed image's digest
$ skopeo inspect docker://docker.io/fedora:rawhide | jq '.Digest'
"sha256:905b4846938c8aef94f52f3e41a11398ae5b40f5855fb0e40ed9c157e721d7f8"skopeo可以在各种存储机制之间复制容器镜像,包括:
基于Docker分发的注册表
容器存储后端
本地目录
本地OCI布局目录
$ skopeo copy docker://busybox:1-glibc atomic:myns/unsigned:streaming
$ skopeo copy docker://busybox:latest dir:existingemptydirectory
$ skopeo copy docker://busybox:latest oci:busybox_ocilayout:latest$ skopeo delete docker://localhost:5000/imagename:latest当与私有注册表交互时,skopeo首先查找--creds(用于skopeo inspect | delete)或--src-creds | --dest-creds(用于skopeo copy)标志。 如果没有提供,它会查找Docker的cli配置文件(通常位于$ HOME/.docker/config.json)以获取进行身份验证所需的凭据。 像Docker一样,最终的后备是在与这些注册表交互时提供空身份验证。
$ cat /home/runcom/.docker/config.json
{
"auths": {
"myregistrydomain.com:5000": {
"auth": "dGVzdHVzZXI6dGVzdHBhc3N3b3Jk",
"email": "stuf@ex.cm"
}
}
}
# we can see I'm already authenticated via docker login so everything will be fine
$ skopeo inspect docker://myregistrydomain.com:5000/busybox
{"Tag":"latest","Digest":"sha256:473bb2189d7b913ed7187a33d11e743fdc2f88931122a44d91a301b64419f092","RepoTags":["latest"],"Comment":"","Created":"2016-01-15T18:06:41.282540103Z","ContainerConfig":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh","-c","#(nop) CMD [\"sh\"]"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"DockerVersion":"1.8.3","Author":"","Config":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["sh"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"Architecture":"amd64","Os":"linux"}
# let's try now to fake a non existent Docker's config file
$ cat /home/runcom/.docker/config.json
{}
$ skopeo inspect docker://myregistrydomain.com:5000/busybox
FATA[0000] unauthorized: authentication required
# passing --creds - we can see that everything goes fine
$ skopeo inspect --creds=testuser:testpassword docker://myregistrydomain.com:5000/busybox
{"Tag":"latest","Digest":"sha256:473bb2189d7b913ed7187a33d11e743fdc2f88931122a44d91a301b64419f092","RepoTags":["latest"],"Comment":"","Created":"2016-01-15T18:06:41.282540103Z","ContainerConfig":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["/bin/sh","-c","#(nop) CMD [\"sh\"]"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"DockerVersion":"1.8.3","Author":"","Config":{"Hostname":"aded96b43f48","Domainname":"","User":"","AttachStdin":false,"AttachStdout":false,"AttachStderr":false,"Tty":false,"OpenStdin":false,"StdinOnce":false,"Env":null,"Cmd":["sh"],"Image":"9e77fef7a1c9f989988c06620dabc4020c607885b959a2cbd7c2283c91da3e33","Volumes":null,"WorkingDir":"","Entrypoint":null,"OnBuild":null,"Labels":null},"Architecture":"amd64","Os":"linux"}
# skopeo copy example:
$ skopeo copy --src-creds=testuser:testpassword docker://myregistrydomain.com:5000/private oci:local_oci_imageskopeo可能已经打包在您的发行版中,例如在Fedora 23上,以后您可以使用它安装它
$ sudo dnf install skopeo否则,请继续阅读以从源代码构建和安装它:
要构建skopeo二进制文件,至少需要Go 1.5,因为它使用最新的GO15VENDOREXPERIMENT标志。
构建skopeo有两种方法:在容器中,或在没有容器的情况下本地。 选择更符合您需求和环境的产品。
没有容器的构建需要在您的环境中进行更多的手动工作和设置,但它更灵活:
安装必要的依赖项:
Fedora $ sudo dnf install gpgme-devel libassuan-devel btrfs-progs-devel device-mapper-devel ostree-devel
Ubuntu $ sudo apt install libgpgme-dev libassuan-dev btrfs-progs libdevmapper-dev libostree-dev
macOS $ brew install gpgme确保在GOPATH中克隆此存储库 - 否则编译失败。
$ git clone https://github.com/containers/skopeo $ GOPATH / src / github.com / containers / skopeo
$ cd $ GOPATH / src / github.com / containers / skopeo && make binary-local在容器中构建更简单,但更具限制性:
bash
$ make binary
#或(make all)也可以构建文档,见下文。
要构建pure-Go静态二进制文件(禁用ostree,devicemapper,btrfs和gpgme):
bash
$ make binary-static DISABLE_CGO = 1要构建手册,您需要go-md2man。
Debian $ sudo apt-get install go-md2man
Fedora $ sudo dnf安装go-md2man然后
$ make docs安装 最后,在构建二进制文件之后:
$ sudo make install