介绍

skopeo 是一个命令行工具,可对容器镜像和容器存储进行操作。 在没有dockerd的环境下,使用 skopeo 操作镜像是非常方便的。

安装

# 安装 skopeo

https://github.com/containers/skopeo/blob/main/install.md

root@cby:~# . /etc/os-release
root@cby:~# echo "deb https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/ /" | sudo tee /etc/apt/sources.list.d/devel:kubic:libcontainers:stable.list
root@cby:~# curl -L https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/xUbuntu_${VERSION_ID}/Release.key | sudo apt-key
 add -
root@cby:~# sudo apt-get
 update
root@cby:~# sudo apt-get -y upgrade
root@cby:~# sudo apt-get -y install skopeo
root@cby:~# skopeo --version

root@cby:~# skopeo --help    # 子命令可采用如下命令 skopeo [command] --help 命令
Usage:
 skopeo [flags]
 skopeo [command]
Available Commands:  
 copy          # 复制一个镜像
从 A 到 B,这里的 A 和 B 可以为本地 docker 镜像或者 registry 上的镜像;
 delete        # 删除一个镜像 tag,可以是本地 docker 镜像或者 registry 上的镜像;
 help          # 帮助查看
 inspect       # 查看一个镜像的 manifest 或者 image config 详细信息;
 list-tags     # 列出存储库名称指定的镜像的tag
 login           # 登陆某个镜像仓库,类似于 docker login 命令
 logout          # 退出某个已认证的镜像仓库
, 类似于 docker logout 命令
 manifest-digest # 计算文件的清单摘要是一个sha256sum 值
 standalone-sign   # 使用本地文件创建签名
 standalone-verify # 验证本地文件的签名
 sync              # 将一个或多个图像从一个位置同步到另一个位置 (该功能非常Nice)
Flags:
   --command-timeout duration   # 命令超时时间(单位秒)
   --debug                      # 启用debug模式
   --insecure-policy            # 在不进行任何策略检查的情况下运行该工具(如果没有配置 policy 的话需要加上该参数)
   --override-arch ARCH         # 处理镜像时覆盖客户端 CPU 体系架构,如在 amd64 的机器上用 skopeo 处理 arm64 的镜像
   --override-os OS             # 处理镜像时覆盖客户端 OS
   --override-variant VARIANT   # 处理镜像时使用VARIANT而不是运行架构变量
   --policy string              # 信任策略文件的路径 (为镜像配置安全策略情况下使用)
   --registries.d DIR           # 在目录中使用Registry配置文件
(例如,用于容器签名存储)
   --tmpdir string              # 用于存储临时文件的目录
-h, --help                       help for skopeo  
-v, --version                    Version for Skopeo

# 查看已有的认证信息
root@cby:~# cat ~/.docker/config.json
{
        "auths": {
                "core.oiox.cn:30785": {
                        "auth": "XXXX"
                },
                "hb.oiox.cn": {
                        "auth": "XXXX"
                },
                "swr.cn-north-1.myhuaweicloud.com": {
                        "auth": "XXXX"
                }
        }
}root@cby:~#

使用

# 从一个仓库拷贝到另一个仓库
root@cby:~# skopeo copy docker://docker.io/busybox:latest docker://hb.oiox.cn/cby/busybox:latest --dest-authfile /root/.docker/config.json --src-tls-verify=false --dest-tls-verify=false
Getting image source signatures
Copying blob 405fecb6a2fa done  
Copying config 9d5226e6ce done  
Writing manifest to image destination
Storing signatures
root@cby:~# 

# 从一个仓库同步所以版本到另一个仓库
root@cby:~# skopeo sync --src docker --dest docker k8s.gcr.io/etcd hb.oiox.cn/cby/ --src-tls-verify=false --dest-tls-verify=false
INFO[0000] Tag presence check                            imagename=k8s.gcr.io/etcd tagged=false
INFO[0000] Getting tags                                  image=k8s.gcr.io/etcd
INFO[0004] Copying image ref 1/106                       from="docker://k8s.gcr.io/etcd:2.0.12" to="docker://hb.oiox.cn/cby/etcd:2.0.12"
Getting image source signatures
Copying blob a3ed95caeb02 done  
Copying blob a3ed95caeb02 done  
Copying blob a3ed95caeb02 done  
Copying blob 35c8bf5fd6cd done  
Copying blob a7e0d6960478 done  
Copying blob 3109a5487eac done  
Copying config 8c32a2c999 done  
Writing manifest to image destination
Storing signatures
INFO[0020] Copying image ref 2/106                       from="docker://k8s.gcr.io
/etcd:2.0.13" to="docker://hb.oiox.cn/cby/etcd:2.0.13"
Getting image source signatures
Copying blob a3ed95caeb02 [--------------------------------------] 0.0b / 0.0b
Copying blob a3ed95caeb02 skipped: already exists  
Copying blob 35c8bf5fd6cd skipped
: already exists  
Copying blob a3ed95caeb02 skipped: already exists
...
root@cby:~#

# 删除镜像
root@cby:~# skopeo delete docker://hb.oiox.cn/cby/etcd:2.0.12 --tls-verify=false --debug
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf" 
DEBU[0000] Loading registries configuration "/etc/containers/registries.conf.d/shortnames.conf" 
DEBU[0000] Found credentials for hb.oiox.cn in credential helper containers-auth.json 
DEBU[0000] Using registries.d directory /etc/containers/registries.d for sigstore configuration
 
DEBU[0000]  No signature storage configuration found for hb.oiox.cn/cby/etcd:2.0.12, using built-in default file:///var/lib/containers/sigstore 
DEBU[0000] Looking for TLS certificates and private keys in /etc/docker/certs.d/hb.oiox.cn 
DEBU[0000] GET https://hb.oiox.cn/v2/                   
DEBU[0000] Ping https://hb.oiox.cn/v2/ status 401       
DEBU[0000] GET https://hb.oiox.cn/service/token?account=admin&scope=repository%3Acby%2Fetcd%3A%2A&service=harbor-registry 
DEBU[0000] GET https://hb.oiox.cn/v2/cby/etcd/manifests/2.0.12 
DEBU[0000] DELETE https://hb.oiox.cn/v2/cby/etcd/manifests/sha256:24cf1202eea3953f9a8c44b0930d03666019ff8c277a0f6cd6190645eb1f7ba5 
DEBU[0000] Deleting /var/lib/containers/sigstore/cby/etcd@sha256=24cf1202eea3953f9a8c44b0930d03666019ff8c277a0f6cd6190645eb1f7ba5/signature-1 
root@cby:~# 


# 查看有哪些tags
root@cby:~# skopeo list-tags docker://k8s.gcr.io/pause
{
    "Repository": "k8s.gcr.io/pause",
    "Tags": [
        "0.8.0",
        "1.0",
        "2.0",
        "3.0",
        "3.1",
        "3.2",
        "3.3",
        "3.4.1",
        "3.5",
        "3.6",
        "3.7",
        "3.8",
        "3.9",
        "go",
        "latest",
        "sha256
-7031c1b283388d2c2e09b57badb803c05ebed362dc88d84b480cc47f72a21097.sig",
        "sha256-9001185023633d17a2f98ff69b6ff2615b8ea02a825adffa40422f51dfdcde9d.sig",
        "test",
        "test2"
    ]
}
root@cby:~#