buildah-pull - Pull an image from a registry.
buildah pull [options] image
Pulls an image based upon the specified image name. Image names use a "transport":"details" format.
Multiple transports are supported:
dir:path An existing local directory path containing the manifest, layer tarballs, and signatures in individual files. This is a non-standardized format, primarily useful for debugging or noninvasive image inspection.
docker://docker-reference (Default)
An image in a registry implementing the "Docker Registry HTTP API V2". By default, uses the authorization state in $XDG\_RUNTIME\_DIR/containers/auth.json, which is set using (buildah login). If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using (docker login).
If docker-reference does not include a registry name, localhost will be consulted first, followed by any registries named in the registries configuration.
docker-archive:path
An image is retrieved as a docker load formatted file.
docker-daemon:docker-reference An image docker-reference stored in the docker daemon's internal storage. docker-reference must include either a tag or a digest. Alternatively, when reading images, the format can also be docker-daemon:algo:digest (an image ID).
oci:path:tag** An image tag in a directory compliant with "Open Container Image Layout Specification" at path.
oci-archive:path:tag An image tag in a directory compliant with "Open Container Image Layout Specification" at path.
Buildah resolves the path to the registry to pull from by using the /etc/containers/registries.conf
file, containers-registries.conf(5). If the buildah pull command fails with an "image not known" error,
first verify that the registries.conf file is installed and configured appropriately.
The image ID of the image that was pulled. On error 1 is returned.
--all-tags, a
All tagged images in the repository will be pulled.
--authfile path
Path of the authentication file. Default is ${XDG_RUNTIME_DIR}/containers/auth.json, which is set using buildah login.
If the authorization state is not found there, $HOME/.docker/config.json is checked, which is set using docker login.
--cert-dir path
Use certificates at path (*.crt, *.cert, *.key) to connect to the registry. The default certificates directory is /etc/containers/certs.d.
--creds creds
The [username[:password]] to use to authenticate with the registry if required. If one or both values are not supplied, a command line prompt will appear and the value can be entered. The password is entered without echo.
--decryption-key key[:passphrase]
The [key[:passphrase]] to be used for decryption of images. Key can point to keys and/or certificates. Decryption will be tried with all keys. If the key is protected by a passphrase, it is required to be passed in the argument and omitted otherwise.
--quiet, -q
If an image needs to be pulled from the registry, suppress progress output.
--remove-signatures
Don't copy signatures when pulling images.
--shm-size=""
Size of /dev/shm. The format is <number><unit>. number must be greater than 0.
Unit is optional and can be b (bytes), k (kilobytes), m(megabytes), or g (gigabytes).
If you omit the unit, the system uses bytes. If you omit the size entirely, the system uses 64m.
--tls-verify bool-value
Require HTTPS and verify certificates when talking to container registries (defaults to true).
buildah pull imagename
buildah pull docker://myregistry.example.com/imagename
buildah pull docker-daemon:imagename:imagetag
buildah pull docker-archive:filename
buildah pull oci-archive:filename
buildah pull dir:directoryname
buildah pull --tls-verify=false myregistry/myrepository/imagename:imagetag
buildah pull --creds=myusername:mypassword --cert-dir ~/auth myregistry/myrepository/imagename:imagetag
buildah pull --authfile=/tmp/auths/myauths.json myregistry/myrepository/imagename:imagetag
BUILD_REGISTRY_SOURCES
BUILD_REGISTRY_SOURCES, if set, is treated as a JSON object which contains
lists of registry names under the keys insecureRegistries,
blockedRegistries, and allowedRegistries.
When pulling an image from a registry, if the name of the registry matches any
of the items in the blockedRegistries list, the image pull attempt is denied.
If there are registries in the allowedRegistries list, and the registry's
name is not in the list, the pull attempt is denied.
TMPDIR The TMPDIR environment variable allows the user to specify where temporary files are stored while pulling and pushing images. Defaults to '/var/tmp'.
registries.conf (/etc/containers/registries.conf)
registries.conf is the configuration file which specifies which container registries should be consulted when completing image names which do not include a registry or domain portion.
policy.json (/etc/containers/policy.json)
Signature policy file. This defines the trust policy for container images. Controls which container registries can be used for image, and whether or not the tool should trust the images.
buildah(1), buildah-from(1), buildah-login(1), docker-login(1), containers-policy.json(5), containers-registries.conf(5)