Skopeo

Skopeo: Moving & Sharing

In this step, we are going to do a couple of simple exercises with Skopeo to give you a feel for what it can do. Skopeo doesn't need to interact with the local container storage (.local/share/containers), it can move directly between registries, between container engine storage, or even directories.

Remotely Inspecting Images

First, lets start with the use case that kicked off the Skopeo project. Sometimes, it's really convenient to inspect an image remotely before pulling it down to the local cache. This allows us to inspect the meta-data of the image and see if we really want to use it, without synchronizing it to the local image cache:

skopeo inspect docker://registry.fedoraproject.org/fedora

We can easily see the "Architecture" and "Os" meta-data which tells us a lot about the image. We can also see the labels, which are consumed by most container engines, and passed to the runtime to be constructed as environment variables. By comparison, here's how to see this meta-data in a running container:

podman run --name meta-data-container -id registry.fedoraproject.org/fedora bash; podman inspect meta-data-container

Pulling Images

Like, Podman, Skopeo can be used to pull images down into the local container storage:

skopeo copy docker://registry.fedoraproject.org/fedora containers-storage:fedora

But, it can also be used to pull them into a local directory:

skopeo copy docker://registry.fedoraproject.org/fedora dir:$HOME/fedora-skopeo

This has the advantage of not being mapped into our container storage. This can be convenient for security analysis:

ls -alh ~/fedora-skopeo

The Config and Image Layers are there, but remember we need to rely on a graph driver in a container engine to map them into a RootFS.

Conclusion

You have a new tool in your tool belt for sharing and moving containers. Hopefully, you find other uses for Skopeo.