Docker helps with running applications in containers, but sometimes, getting Docker images without using Docker itself is useful. Using tools like skopeo, we can directly download images from Docker Hub, which is handy for systems with limited resources or where Docker isn’t installed. This method lets us check and extract content from images without running them, making it more flexible for managing Docker images.
When downloading Docker images without using Docker, security concerns emerge due to potential risks associated with untrusted sources, compromised image integrity, undetected vulnerabilities, dependency conflicts, and compliance challenges. Without Docker’s security features, such as image signing, vulnerability scanning, and container isolation, users face increased difficulty in ensuring the trustworthiness, integrity, and compliance of downloaded images, posing potential threats to the security and stability of their environments.
Downloading Docker images without using Docker itself is feasible through several alternative methods. Here are a few:
Using curl or wget: Docker images are stored in container registries like Docker Hub. Tools like curl or wget can be used to download Docker images directly from these registries by accessing the image URL.
Using specialized tools: Specialized tools are designed for fetching and managing Docker images without Docker itself. Tools like skopeo allow users to interact with container registries to fetch images.
Using containerd or other container runtimes: Containerd is a container runtime that can interact directly with container registries. We can use containerd to pull Docker images without needing the Docker engine. However, this may still require some setup and configuration.
In this Answer, we will focus on skopeo only.
skopeo?Skopeo is a command line utility for working with remote container image registeries. It allows users to perform various operations on container images without requiring Docker or container runtime installation. skopeo provides functionalities like copying images between repositories, inspecting image properties, viewing manifests, and more. skopeo can be used on Linux, Mac, and Windows
Here are some common functionalities of skopeo:
Copy images: Skopeo enables copying images from one container repository to another without pulling them locally.
Inspect images: It allows inspecting image properties, such as image metadata, layers, and configurations, without actually pulling the entire image.
View manifests: Skopeo can fetch and display image manifests that define the contents and layers.
Transfer images: It supports transferring images between container image stores, including Docker and Quay.io.
skopeo installationTo utilize skopeo on an Ubuntu system, it is necessary to install it. Here is the command for installing skopeo.
sudo apt-get -y install skopeo
This command, executed with superuser privileges sudo, installs Skopeo on an Ubuntu system using the apt-get package manager. The -y flag automatically confirms the installation without requiring user input for confirmation prompts.
skopeoThe following code illustrates how skopeo enables direct copying of images from Docker Hub.
skopeo copy docker://docker.io/library/image:tag dir:image
skopeo copy: Initiates the copying operation provided by Skopeo.
docker://docker.io/library/image:tag: Specifies the source Docker image to be copied. Replace image with the specific image name and tag with the version or tag of the image we want to copy.
dir:image: Specifies the destination for the copied image. In this case, it is dir:image, indicating that the image will be saved locally in the image directory.
Here are some flags that can be used in skepeo in copy command:
--src-creds: This flag is used to specify credentials for the source registry.
--dest-creds: This flag is used to specify credentials for the destination registry.
--src-tls-verify and --dest-tls-verify: These flags are used to enable or disable TLS verification for the source and destination registries, respectively.
--src-tls-client-cert and --dest-tls-client-cert: These flags are used to specify the client certificate file for TLS authentication with the source and destination registries, respectively.
--src-tls-client-key and --dest-tls-client-key: These flags are used to specify the client key file for TLS authentication with the source and destination registries, respectively.
--all: This flag is used to copy all tags of the specified image.
--dest-override-os and --dest-override-arch: These flags are used to override the operating system and architecture of the destination image, respectively.
--dest-tls-verify-remote-name: This flag is used to verify the remote name in the TLS certificate for the destination registry.
skopeoLet’s explore an example of copying the Ubuntu image from Docker Hub using Skopeo.
skopeo copy docker://ubuntu:20.04 dir:ubuntu_image
This command will pull the Ubuntu image with the tag 20.04 from Docker Hub and save it to a local directory named ubuntu_image.
Adjust the tag (20.04 in this case) to download a specific version or use latest to get the latest available version.
The dir: prefix specifies that we are saving the image to a directory on the local system. We can change ubuntu_image to our preferred directory name.
Inspect the copied image using skopeo inspect:
skopeo inspect dir:ubuntu_image
This command provides details about the image, such as its layers and configuration.
These approaches provide a workaround for scenarios where Docker is inaccessible or for users seeking to inspect and transfer images without directly running containers. Click the terminal to test the above skopeo commands mentioned in the example above.
Free Resources