skopeo copy without modifying digest #1440
Comments
|
Thanks for your report.
That’s tracked as #1378 ; but it also doesn’t much help with your immediate concerns.
Yes; I’d generally recommend that approach, because it is mostly format-agnostic and allows sharing blobs across images, i.e. decreases the mirroring time and transfer size.
(BTW OpenShift has its own mirroring tools that might be easier to use specifically for that product, especially taking OCP release signing into account.)
To me, this seems like something fairly easy to wrap in a script, if necessary (and if the OCP
I’m afraid that isn’t going to work. The temporary registry approach you have outlined above is what I‘d generally recommend for mirroring a set of images; if that’s not an option, use an individual |
yes but their tools also change the digest, I opened a case for them and they still didnt wanted to update their documentation / fix their tool. (i thought maybe first skopeo will create something cool and then I will just suggest them to use it)
we made a lot of scrips, but the process is still pretty difficult, because we always end up with a lot of registries listening on a lot of ports, and a lot of directories for registries datas, and no one knows what where why and how.
its looks like its exactly what we need, it will be amazing to save straight on the disk instead of creating a registry each time. i tried to use the dir option but im getting errors: sorry if im doing something wrong, its my first time using the dir option. |
|
That’s a bit surprising, but it seems related to the registry and not to Just to be sure, note that a |
|
tried to start over: but if i can store only 1 image in the dir then its not really helping :/ may it be possible to make that i could store a lot of images with the dir option? or its like doing exactly what the registry does and its too much work? the copying images to the registry method is great, but it gets more complicated as time passes and we start to get a lot of registries, would be amazing to straight save the images as some file/directory without changing the digest. makes everything very simple and organized. |
I have just tested that, and it works for me. “Internal server error” really needs to be resolved server-side; what do the logs for that operation say?
Basically: the registry code works and is well-tested, including some non-trivial aspects like pulling multiple layers in parallel; maintaining a separate file implementation path, has, so far, seemed unnecessary.
Temporarily start the registry on localhost with a specific directory mounted as the registry’s storage (as the example above does with |
looks like i had some problem with the registry storage, i recreated it and everything works now, thanks!
then I guess the registry method is really the best solution. thanks for clarifying everything. |
A digest-stable copy seems popular, even when not copying signed images. Using --all can still change digests. Adding an option to ensure digests are preserved. See: containers/skopeo#1440 containers/skopeo#1378 containers/skopeo#1102 containers/skopeo#1451 Signed-off-by: James Hewitt <[email protected]>
A digest-stable copy seems popular, even when not copying signed images. Using --all can still change digests. Adding an option to ensure digests are preserved. See: containers/skopeo#1440 containers/skopeo#1378 containers/skopeo#1102 containers/skopeo#1451 Signed-off-by: James Hewitt <[email protected]>
A digest-stable copy seems popular, even when not copying signed images. Using --all can still change digests. Adding an option to ensure digests are preserved. See: containers/skopeo#1440 containers/skopeo#1378 containers/skopeo#1102 containers/skopeo#1451 Signed-off-by: James Hewitt <[email protected]>
A digest-stable copy seems popular, even when not copying signed images. Using --all can still change digests. Adding an option to ensure digests are preserved. Also adding a missing check to enable digest preservation for manifest lists where the destination is digested. See: containers/skopeo#1440 containers/skopeo#1378 containers/skopeo#1102 containers/skopeo#1451 Signed-off-by: James Hewitt <[email protected]>
A digest-stable copy seems popular, even when not copying signed images. Using --all can still change digests. Adding an option to ensure digests are preserved. Also adding a missing check to enable digest preservation for manifest lists where the destination is digested. See: containers/skopeo#1440 containers/skopeo#1378 containers/skopeo#1102 containers/skopeo#1451 Signed-off-by: James Hewitt <[email protected]>
A digest-stable copy seems popular, even when not copying signed images. Using --all can still change digests. Adding an option to ensure digests are preserved. Also adding a missing check to enable digest preservation for manifest lists where the destination is digested. See: containers/skopeo#1440 containers/skopeo#1378 containers/skopeo#1102 containers/skopeo#1451 Signed-off-by: James Hewitt <[email protected]>
A digest-stable copy seems popular, even when not copying signed images. Using --all can still change digests. Adding an option to ensure digests are preserved. Also adding a missing check to enable digest preservation for manifest lists where the destination is digested. See: containers/skopeo#1440 containers/skopeo#1378 containers/skopeo#1102 containers/skopeo#1451 Signed-off-by: James Hewitt <[email protected]>
A digest-stable copy seems popular, even when not copying signed images. Using --all can still change digests. Adding an option to ensure digests are preserved. Also adding a missing check to enable digest preservation for manifest lists where the destination is digested. See: containers/skopeo#1440 containers/skopeo#1378 containers/skopeo#1102 containers/skopeo#1451 Signed-off-by: James Hewitt <[email protected]>
A digest-stable copy seems popular, even when not copying signed images. Using --all can still change digests. Adding an option to ensure digests are preserved. Also adding a missing check to enable digest preservation for manifest lists where the destination is digested. See: containers/skopeo#1440 containers/skopeo#1378 containers/skopeo#1102 containers/skopeo#1451 Signed-off-by: James Hewitt <[email protected]>
A digest-stable copy seems popular, even when not copying signed images. Using --all can still change digests. Adding an option to ensure digests are preserved. Also adding a missing check to enable digest preservation for manifest lists where the destination is digested. See: containers/skopeo#1440 containers/skopeo#1378 containers/skopeo#1102 containers/skopeo#1451 Signed-off-by: James Hewitt <[email protected]>
most of the redhat products are pulling images by digests to make sure that the image has not been modified.
we work in restricted network so our goal is to get the images to the restricted network environment without modifying the image digest.
the only way to transfer file to the restricted environment is by usb flash drive, so we need to somehow save the image as a file, transfer the file with usb, and then upload the image to the registry in the restricted environment.
it would be nice maybe to add some flag so that skopeo would copy the image without modifying its digest.
the only way to move image without modifying its digest is between registries with the --all flag:
so to transfer the image to the restricted environment we create custom registry:
copy the image to the registry:
copy the /var/registry-data/docker folder to the restricted environment.
create the container in the restricted environment machine:
and copy the image to restricted environment registry:
and then pulling by the digest will work:
as you can see the process is very difficult, and if we try to save the image as a file straight, the digest would change:
then we would move the image file to the restricted environment, and then load it:
but i get the error:
probably because when saving the image as a file, it actually modifies the digest:
if you want to compare with the source image:
The text was updated successfully, but these errors were encountered: