docs-experimental/skopeo-experimental-image-proxy.1.md
% skopeo-experimental-image-proxy(1)
skopeo-experimental-image-proxy - API server for fetching container images (EXPERIMENTAL)
skopeo experimental-image-proxy [options]
EXPERIMENTAL COMMAND: This command is experimental, and its API is subject to change. It is currently hidden from the main help output and not supported on Windows.
skopeo experimental-image-proxy exposes core container image fetching APIs via custom JSON+fd-passing protocol. This provides a lightweight way to fetch container image content (manifests and blobs). This command is primarily intended for programs that want to operate on a storage type that skopeo doesn't natively handle. For example, the bootc project currently has a custom ostree-based container storage backend.
The client process that invokes skopeo experimental-image-proxy is responsible for creating a socket pair and passing one of the file descriptors to the proxy. By default, the proxy expects this file descriptor to be its standard input (fd 0), but a different fd can be specified using the --sockfd option.
Protocol Overview
The protocol requires a socketpair(2) of type SOCK_SEQPACKET, over which a single JSON message is sent per packet. Large data payloads, such as image manifests and blobs, are transferred over separate pipes (pipe(2)), with the read-ends of these pipes passed to the client via file descriptor (FD) passing.
{ "method": "MethodName", "args": [arguments] }{ "success": boolean, "value": JSONValue, "pipeid": number, "error_code": string, "error": string }
success: true if the call succeeded, false otherwise.value: The return value of the method, if any.pipeid: An integer identifying a pipe for data transfer. This ID is used with the FinishPipe method.error_code: A string indicating the type of error if success is false (e.g., "EPIPE", "retryable", "other"). (Introduced in protocol version 0.2.8)error: A string describing the error if success is false.The current protocol version is 0.2.8.
Supported Protocol Methods
The server supports the following methods:
[] (empty array)string (the protocol version, e.g., "0.2.8")docker://quay.io/example/image:latest).
[string imageName]uint64 (an opaque image ID to be used in subsequent calls)OpenImage, but if the image is not found, it returns 0 (a sentinel image ID) instead of an error.
[string imageName]uint64 (opaque image ID, or 0 if the image is not found)[uint64 imageID]nullvalue field in the reply contains the original digest of the manifest (if the image is a manifest list, this is the digest of the list, not the per-platform instance). The manifest content is streamed over a pipe.
[uint64 imageID]string (manifest digest in value), manifest data via pipe.[uint64 imageID]null, configuration data via pipe.value field in the reply contains the blob size. Blob data is streamed over a pipe.
[uint64 imageID, string digest, uint64 size]int64 (blob size in value, -1 if unknown), blob data via pipe.GetBlob, this method does not perform server-side digest verification. It returns two file descriptors to the client: one for the blob data and another for reporting errors that occur during the streaming. This method does not use the FinishPipe mechanism. The value field in the reply contains the blob size. (Introduced in protocol version 0.2.8)
[uint64 imageID, string digest]int64 (blob size in value, -1 if unknown), and two file descriptors: one for the blob data, one for errors. The error is a ProxyError type, see below.GetLayerInfo. Layer information data is streamed over a pipe, which makes it more reliable for images with many layers that would exceed message size limits with GetLayerInfo. The returned data is a JSON array of {digest: string, size: int64, media_type: string}. (Introduced in protocol version 0.2.7)
[uint64 imageID]null, layer information data via pipe.pipeid (obtained from methods like GetManifest or GetBlob). This allows the server to close its end of the pipe and report any pending errors (e.g., digest verification failure for GetBlob). This method must be called by the client after consuming data from a pipe, except for pipes from GetRawBlob.
[uint32 pipeID]null[] (empty array)nullThe following methods are deprecated:
config field). Note: This method returns only a part of the full image configuration due to a historical oversight. Use GetFullConfig for the complete image configuration. Configuration data is streamed over a pipe.
[uint64 imageID]null, configuration data via pipe.GetLayerInfoPiped for a more robust solution.
[uint64 imageID]array of {digest: string, size: int64, media_type: string}.Data Transfer for Pipes
When a method returns a pipeid, the server also passes the read-end of a pipe via file descriptor (FD) passing. The client reads the data (e.g., manifest content, blob content) from this FD. After successfully reading all data, the client must call FinishPipe with the corresponding pipeid. This signals to the server that the transfer is complete, allows the server to clean up resources, and enables the client to check for any errors that might have occurred during the data streaming process (e.g., a digest mismatch during GetBlob). The GetRawBlob method is an exception; it uses a dedicated error pipe instead of the FinishPipe mechanism.
ProxyError
GetBlobRaw returns a JSON object of the following form in the error pipe where:
{
"code": "EPIPE" | "retryable" | "other",
"message": "error message"
}
--sockfd=fd Serve on the opened socket passed as file descriptor fd. Defaults to 0 (standard input).
The command also supports common skopeo options for interacting with image registries and local storage. These include:
--authfile=path
Path of the primary registry credentials file. On Linux, the default is ${XDG_RUNTIME_DIR}/containers/auth.json. See containers-auth.json(5) for more details about the credential search mechanism and defaults on other platforms.
Use skopeo login to manage the credentials.
The default value of this option is read from the REGISTRY\_AUTH\_FILE environment variable.
--cert-dir=path
Use certificates at path (*.crt, *.cert, *.key) to connect to the registry.
--creds username[:password]
Username and password for accessing the registry.
--daemon-host host
Use docker daemon host at host (docker-daemon: transport only)
--no-creds
Access the registry anonymously.
--password=password
Password for accessing the registry. Use with --username.
--registry-token=token
Provide a Bearer token for accessing the registry.
--shared-blob-dir directory
Directory to use to share blobs across OCI repositories.
--tls-verify=bool
Require HTTPS and verify certificates when talking to the container registry or daemon. Default to registry.conf setting.
--username=username Username for accessing the registry. Use with --password.
skopeo(1), containers-auth.json(5)