skopeo工具部署使用
介绍
Skopeo 是一个命令行工具,用于管理、检查和操作容器镜像,无需运行容器或 Docker 守护进程。它允许您直接在容器注册表中操作镜像,而不需要先将它们下载到本地。
github地址:https://github.com/containers/skopeo
安装部署
使用三方安装包:
地址:https://github.com/lework/skopeo-binary/releases
version=v1.6.2
arch=amd64
[ -f /usr/bin/skopeo ] && mv /usr/bin/skopeo{,_src}
wget https://github.com/lework/skopeo-binary/releases/download/${version}/skopeo-linux-${arch} -O /usr/bin/skopeo
chmod +x /usr/bin/skopeo
yum安装
# RHEL / CentOS Stream ≥ 8
dnf install skopeo
# RHEL/CentOS ≤ 7.x
yum install skopeo
编译安装
因为编译需要有golang环境,因此我选择容器化编译skopeo命令
自行下载好skopeo源文件
# docker run --rm --name skopeo -it golang:1.24.5 bash
# 使用 渡渡鸟加速下载镜像
docker run --rm --name skopeo -it swr.cn-north-4.myhuaweicloud.com/ddn-k8s/docker.io/library/golang:1.24.5 bash
# git 下载(较慢)
# git clone --branch v1.20.0 https://github.com/containers/skopeo /tmp/app
# 上传skopeo-1.20.0.tar.gz到容器上(在另外打开一个窗口)
docker cp skopeo-1.20.0.tar.gz skopeo:/tmp/
# 编译二进制文件
cd /tmp/
tar -zxvf skopeo-1.20.0.tar.gz
cd /tmp/skopeo-1.20.0
# 用于编译 静态链接 的 skopeo 二进制文件
make EXTRA_LDFLAGS='-extldflags "-static"' DISABLE_CGO=1 bin/skopeo
# 拷贝skopeo命令(在另外打开一个窗口)
docker cp skopeo:/tmp/skopeo-1.20.0/bin/skopeo ~/skopeo
mv skopeo /usr/local/bin/
# 验证skopeo命令
[root@localhost ~]# skopeo --version
skopeo version 1.20.0
常用功能学习验证
命令选项
[root@localhost ~]# skopeo -h
Various operations with container images and container image registries
Usage:
skopeo [flags]
skopeo [command]
Available Commands:
copy Copy an IMAGE-NAME from one location to another
delete Delete image IMAGE-NAME
generate-sigstore-key Generate a sigstore public/private key pair
help Help about any command
inspect Inspect image IMAGE-NAME
list-tags List tags in the transport/repository specified by the SOURCE-IMAGE
login Login to a container registry
logout Logout of a container registry
manifest-digest Compute a manifest digest of a file
standalone-sign Create a signature using local files
standalone-verify Verify a signature using local files
sync Synchronize one or more images from one location to another
Flags:
--command-timeout duration timeout for the command execution
--debug enable debug output
-h, --help help for skopeo
--insecure-policy run the tool without any policy check
--override-arch ARCH use ARCH instead of the architecture of the machine for choosing images
--override-os OS use OS instead of the running OS for choosing images
--override-variant VARIANT use VARIANT instead of the running architecture variant for choosing images
--policy string Path to a trust policy file
--registries.d DIR use registry configuration files in DIR (e.g. for container signature storage)
--tmpdir string directory used to store temporary files
-v, --version Version for Skopeo
Use "skopeo [command] --help" for more information about a command.
[root@localhost ~]#
Skopeo 存储类型区分
| 类型 | 是否需要 daemon | 存储位置 | 可读写 | 典型场景 |
|---|---|---|---|---|
containers-storage |
❌ 不需要 | Podman/Buildah 存储 | ✅ 读写 | Podman 环境镜像迁移 |
dir |
❌ 不需要 | 本地目录 | ✅ 读写 | 离线镜像传输 |
docker:// |
❌ 不需要 | 远程注册表 | ✅ 读写 | 注册表间复制 |
docker-daemon |
✅ 需要 Docker | Docker 存储 | ✅ 读写 | Docker 镜像导出 |
docker-archive |
❌ 不需要 | 本地 tar 文件 | ✅ 读写 | 镜像备份(docker save) |
oci |
❌ 不需要 | OCI 布局目录 | ✅ 读写 | OCI 标准兼容性 |
# 从 Podman 存储复制到注册表
skopeo copy containers-storage:myapp:v1.2 docker://myregistry.com/myapp:v1.2
# 导出为目录
skopeo copy docker://nginx:alpine dir:/tmp/nginx-oci
# 从目录导入
skopeo copy dir:/tmp/nginx-oci docker://myregistry.com/nginx:oci
# 注册表间复制
skopeo copy docker://source.com/app:v1 docker://myregistry.com/app:v1
# 检查镜像信息
skopeo inspect docker://nginx:alpine
# 从 Docker 保存为 tar
skopeo copy docker-daemon:myapp:v1 docker-archive:myapp.tar
# 上传到注册表
skopeo copy docker-daemon:myapp:v1 docker://registry.example.com/myapp:v1
# 从归档导入到注册表
skopeo copy docker-archive:myapp.tar docker://registry.example.com/myapp:v1
# 导出为归档
skopeo copy docker://nginx:alpine docker-archive:nginx.tar
# 转换为 OCI 格式
skopeo copy docker://nginx:alpine oci:nginx-oci
# 从 OCI 导入
skopeo copy oci:nginx-oci docker://myregistry/nginx:oci
镜像仓库管理认证
[root@localhost ~]# skopeo login --username gzeport reg-hub.gzeport.com
Password:
Login Succeeded!
查看镜像tag列表
[root@localhost ~]# skopeo list-tags docker://reg-hub.gzeport.com/jsb/test/gzeport-gitlab-demo
{
"Repository": "reg-hub.gzeport.com/jsb/test/gzeport-gitlab-demo",
"Tags": [
"202509051444-104",
"202509081059-127"
]
}
获取镜像的信息
[root@localhost ~]# skopeo inspect docker://reg-hub.gzeport.com/jsb/test/gzeport-gitlab-demo:202509081059-127
{
"Name": "reg-hub.gzeport.com/jsb/test/gzeport-gitlab-demo",
"Digest": "sha256:c344155eae9ecd981cd65bfa7c5de3d89c94290d9a98e8b2ce7716677f2d6f3b",
"RepoTags": [
"202509051444-104",
"202509081059-127"
],
"Created": "2025-09-08T03:00:08.023305833Z",
"DockerVersion": "",
"Labels": {
"maintainer": "guoliangjun\u003cguoliangjun@gzeport.com\u003e"
},
"Architecture": "amd64",
"Os": "linux",
"Layers": [
"sha256:112172c80402e94c71cf5133d9e6b72ceaf1dfee3fd2d79e49f4c565ee922fdc",
"sha256:2ca04d5033e9b06f7f92b625c2dc591d8d0d268054b1b83d9dc4a65d46d62bf8",
"sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1",
"sha256:b3fc3e09f917917a4c7f372981e82ed15e4c53faf74a5b9dbd07ee9d1a0e2e78",
"sha256:a3fecc6f396d976fe2a9dc99aef03338fd6a5ee992a0f1356b7020f553118479",
"sha256:678830d91e6aecb1a6d9c44e029935aea6cac5663158bf78a022f2cb18817264",
"sha256:7de33b34712317ae38de55f813a929448ae006ac5332676a428438040375206a",
"sha256:4f4fb700ef54461cfa02571ae0db9a0dc1e0cdb5577484a6d75e68dc38e8acc1"
],
"LayersData": [
镜像复制
在 registry、本地目录和容器存储等不同存储机制之间复制容器镜像,添加--insecure-policy跳过策略检查(禁用签名验证)
[root@localhost ~]# skopeo copy --insecure-policy docker://docker.guoliangjun.com/library/busybox:1.37.0 docker://reg-hub.gzeport.com/library/busybox:1.37.0
Getting image source signatures
Copying blob 80bfbb8a41a2 done |
Copying config 0ed463b26d done |
Writing manifest to image destination
# 拉取所有架构
[root@localhost ~]# skopeo copy --insecure-policy --all docker://docker.guoliangjun.com/library/busybox:1.37.0 docker://reg-hub.gzeport.com/library/busybox:1.37.0
拷贝镜像
[root@localhost ~]# skopeo --insecure-policy copy docker://docker.guoliangjun.com/nginx:1.28.0 docker-archive:/tmp/nginx.tar
Getting image source signatures
Copying blob d107e437f729 done |
Copying blob 1b0ead710ba9 done |
Copying blob 630af9f1fcb8 done |
Copying blob 7ca080409cf1 done |
Copying blob c04f61b76b4d done |
Copying blob 87cc7677affb done |
Copying blob 0c740d5dc502 done |
Copying config 3faf4e6888 done |
Writing manifest to image destination
[root@localhost ~]# ls -lah /tmp/nginx.tar
-rw-r--r-- 1 root root 188M 9月 19 11:02 /tmp/nginx.tar
也可以将下载的文件导入到本地docker
[root@localhost ~]# skopeo copy --insecure-policy docker-archive:/tmp/nginx.tar docker-daemon:nginx:1.28.0
Getting image source signatures
Copying blob 36f5f951f60a done |
Copying blob 2351dd6bd33d done |
Copying blob 00cc4f38365c done |
Copying blob 15db5544fc22 done |
Copying blob ce6adb617595 done |
Copying blob 1fc99835d6cd done |
Copying blob ef322fe0300d done |
Copying config 3faf4e6888 done |
Writing manifest to image destination
将镜像下载到指定目录
[root@localhost ~]# skopeo copy --insecure-policy docker://docker.guoliangjun.com/nginx:1.28.0 dir:/tmp/nginx_128
Getting image source signatures
Copying blob 87cc7677affb done |
Copying blob d107e437f729 done |
Copying blob 1b0ead710ba9 done |
Copying blob 630af9f1fcb8 done |
Copying blob 7ca080409cf1 done |
Copying blob c04f61b76b4d done |
Copying blob 0c740d5dc502 done |
Copying config 3faf4e6888 done |
Writing manifest to image destination
[root@localhost ~]#
[root@localhost ~]# ls -alh /tmp/nginx_128/
总用量 70M
drwxr-xr-x 2 root root 4.0K 9月 19 11:08 .
drwxrwxrwt. 14 root root 4.0K 9月 19 11:08 ..
-rw-r--r-- 1 root root 1.4K 9月 19 11:08 0c740d5dc50237b947d159b5098457957f7386d7a36dd289e2d53d23b0949f10
-rw-r--r-- 1 root root 43M 9月 19 11:08 1b0ead710ba91821554082f63db96a4bf0044ec63cab7007f142fc613b76d91a
-rw-r--r-- 1 root root 8.4K 9月 19 11:08 3faf4e6888eeaa3974f71cfac4283b6b674433e2d0e91ef709d1a4a2643bd7cc
-rw-r--r-- 1 root root 629 9月 19 11:08 630af9f1fcb8bde8215695bdf68b051d84995453a2cdf2f9d9e2567128943e79
-rw-r--r-- 1 root root 953 9月 19 11:08 7ca080409cf1d1b2f7fab0b3d6de0d3b16a8177e7ab6d682f57ba9d9b313dab3
-rw-r--r-- 1 root root 1.2K 9月 19 11:08 87cc7677affb2b876bdcd51a6de405e9668a72d7911b44d79fd520523493c991
-rw-r--r-- 1 root root 404 9月 19 11:08 c04f61b76b4d9a2ca5b0b466796203a9cce3934d434844abbb27f70576ba5ee1
-rw-r--r-- 1 root root 27M 9月 19 11:08 d107e437f7299a0db6425d4e37f44fa779f7917ecc8daf1e87128ee91b9ed3d3
-rw-r--r-- 1 root root 2.3K 9月 19 11:08 manifest.json
-rw-r--r-- 1 root root 33 9月 19 11:07 version
[root@localhost ~]#
指定目录导入到本地
skopeo copy --insecure-policy dir:/tmp/nginx_128 docker-daemon:nginx:1.28.0
删除镜像
skopeo delete docker://reg-hub.gzeport.com/library/busybox:1.37.0
镜像同步
将仓库中所有 busybox 镜像版本同步到本地目录
skopeo sync \
--insecure-policy --src-tls-verify=false \
--src docker --dest dir \
reg-hub.gzeport.com/library/busybox:1.37.0 /tmp/busybox
INFO[0000] Tag presence check imagename="reg-hub.gzeport.com/library/busybox:1.37.0" tagged=true
INFO[0000] Copying image ref 1/1 from="docker://reg-hub.gzeport.com/library/busybox:1.37.0" to="dir:/tmp/busybox/busybox:1.37.0"
Getting image source signatures
Copying blob 80bfbb8a41a2 done |
Copying config 0ed463b26d done |
Writing manifest to image destination
INFO[0000] Synced 1 images from 1 sources
[root@localhost tmp]# ll
总用量 0
drwxr-xr-x 3 root root 28 9月 19 11:24 busybox
从本地目录 /tmp/ 同步到 docker 的 hub 容器仓库
skopeo sync \
--insecure-policy --dest-tls-verify=false \
--src dir --dest docker \
/tmp/busybox reg-hub.gzeport.com/library/busybox_test
INFO[0000] Copying image ref 1/1 from="dir:/tmp/busybox/busybox:1.37.0" to="docker://reg-hub.gzeport.com/library/busybox_test/busybox:1.37.0"
Getting image source signatures
Copying blob 80bfbb8a41a2 skipped: already exists
Copying config 0ed463b26d done |
Writing manifest to image destination
INFO[0000] Synced 1 images from 1 sources
[root@localhost busybox]#
不同的仓库之间同步
[root@localhost busybox]# skopeo sync --insecure-policy --src-tls-verify=false --dest-tls-verify=false --src docker --dest docker docker.guoliangjun.com/library/busybox:1.35 reg-hub.gzeport.com/library/
INFO[0000] Tag presence check imagename="docker.guoliangjun.com/library/busybox:1.35" tagged=true
INFO[0000] Copying image ref 1/1 from="docker://docker.guoliangjun.com/library/busybox:1.35" to="docker://reg-hub.gzeport.com/library/busybox:1.35"
Getting image source signatures
Copying blob a9b82d1f2d6e done |
Copying config 95f45f9550 done |
Writing manifest to image destination
INFO[0034] Synced 1 images from 1 sources
参考
1.https://github.com/containers/skopeo
2.https://blog.liaosirui.com/%E7%B3%BB%E7%BB%9F%E8%BF%90%E7%BB%B4/E.%E5%AE%B9%E5%99%A8%E4%B8%8E%E5%AE%B9%E5%99%A8%E7%BC%96%E6%8E%92/%E5%91%BD%E4%BB%A4%E8%A1%8C%E5%B7%A5%E5%85%B7/Skopeo/Skopeo%E7%9A%84%E4%BD%BF%E7%94%A8.html