Mitigate Baron SameEdit (CVE-2021-3156) vulnerability

Skopeo: The Best Container Tool You Need To Know About

By Mike Sahari

Hello readers. I am here today to tell you about my favorite tool when dealing with containers, Skopeo! This light-weight command line tool allows one to perform various operations on container images and image repositories.

Here at Polyverse, we use containers every day, both internally and in our customer-facing products. Some tasks might involve transferring a container image from one aws account to another, or inspecting our built images to view our labels for supply chain integrity. For these tasks and more, my preferred tool of choice is Skopeo.

Best of all, Skopeo can work inside a container and perform any commands without having to escalate privileges. Docker can do this too, but only if you mount the docker sock. But hey, if that’s tolerable in your OPSEC model then you do you.

Skopeo has several commands which make it very useful. My most used, besideslogin, is the copy command.

Transferring images from disk or a repository to another repository is simple. Here is an example using the AWS ECR.

The terminal input would look like this.

During this copying process, the image layers are pulled from the host machine and pushed to the destination repository.

Source and destination could be anything. Skopeo operates on the following image and repository types:

  • containers-storage:docker-reference An image located in a local containers/storage image store. Both the location and image store are specified in /etc/containers/storage.conf. (This is the backend forPodman, CRI-O, Buildah and friends)
  • dir:path An existing local directory path storing the manifest, layer tarballs and signatures as individual files. This is a non-standardized format, primarily useful for debugging or noninvasive container inspection.
  • docker://docker-reference An image in a registry implementing the “Docker Registry HTTP API V2”. By default, uses the authorization state in $XDG_RUNTIME_DIR/containers/auth.json, which is set using skopeo login.
  • docker-archive:path[:docker-reference] An image is stored in a docker save-formatted file. docker-reference is only used when creating such a file, and it must not contain a digest.
  • docker-daemon:docker-reference An image docker-reference stored in the docker daemon internal storage. docker-reference must contain either a tag or a digest. Alternatively, when reading images, the format can also be docker-daemon:algo:digest (an image ID).
  • oci:path:tag An image tag in a directory compliant with “Open Container Image Layout Specification” at path.

It is a very useful tool for copying an image to different repository types. My own development involves copying from container-storage (from Podman and Buildah) to the AWS ECR (Docker Registry). 

Let’s look at other example use cases. Maybe you want to get all available tags for a repository.

Since we build all our containers with a set of labels, I often find myself running the inspectcommand. This command is useful for inspecting labels of who built the image, off which branch, and which commit. 

Skopeo can also be used to encrypt/decrypt container images during a copy, or even sync an entire repository to a destination. If you’re interested in skopeo, check it out: https://github.com/containers/skopeo

If you like this kind of content or want to know more, let us know! Your feedback is important and helps us hand craft these blogs for your perusal. If you want to talk to me about Skopeo and other awesome OCI tools, feel free to reach out to me.

msahari@polyverse.com

https://www.linkedin.com/in/mike-sahari

Interested in learning more?

Be the first to hear about the latest product releases and cybersecurity news.

The registered trademark Linux® is used pursuant to a sublicense from the Linux Foundation, the exclusive licensee of Linus Torvalds, owner of the mark on a world­wide basis.