From 7363cb2bd6df8e11b8fe52a87239f08af6537bdf Mon Sep 17 00:00:00 2001 From: Chris Evich Date: Mon, 6 May 2024 14:09:02 -0400 Subject: [PATCH] Add private registry skopeo example Signed-off-by: Chris Evich --- skopeo/README.md | 29 +++++++++++++++++++++++++++++ 1 file changed, 29 insertions(+) diff --git a/skopeo/README.md b/skopeo/README.md index e258446..638c512 100644 --- a/skopeo/README.md +++ b/skopeo/README.md @@ -38,3 +38,32 @@ podman run docker://quay.io/skopeo/stable:latest copy docker://quay.io/skopeo/st # Inspect the fedora:latest image podman run docker://quay.io/skopeo/stable:latest inspect --config docker://registry.fedoraproject.org/fedora:latest | jq ``` + +## Sample Usage with private registry + +1. Assuming one isn't already defined, setup a Podman secret with the `auth.json` contents. + Alternatively, see the [`containers-auth.json` man + page](https://github.com/containers/image/blob/main/docs/containers-auth.json.5.md) + for the file format. Regardless + of how the file is created, using it as a Podman secret provides more protections than + a simple bind-mount. + + ``` + $ auth_tmp=$(mktemp) + $ echo '{}' > $auth_tmp # JSON formating is required + $ podman login --authfile=$auth_tmp example.com/registry + $ podman secret create registry_name-auth $auth_tmp + $ rm $auth_tmp + ``` + +2. Pass the Podman secret into the Skopeo container along with the intended Skopeo command. + For example, to retrieve metadata for `example.com/registry/image_name:tag` run: + + ``` + $ podman run --secret=registry_name-auth \ + docker://quay.io/skopeo/stable:latest \ + inspect --authfile=/run/secrets/registry_name_auth \ + docker://example.com/registry/image_name:tag + ``` + + ***NOTE:*** The `--authfile` argument must appear after the sub-command (i.e. `inspect` above)