nerdctl icon indicating copy to clipboard operation
nerdctl copied to clipboard
verified publisher icon containerd

feat: add --skip-verify flag to nerdctl save command

Open reckless-huang opened this issue 3 months ago • 0 comments

Summary

Add --skip-verify flag to nerdctl save command to allow saving images when the original registry is unavailable but all layers are present locally.

Problem

Users encounter failures when trying to save locally tagged images if the original registry becomes inaccessible:

$ nerdctl save xxxxx.xxxxx.net:32443/ss/event-exporter:aaa -o aa.tar
xxxx.xxxxx.net:32443/ss/event-exporter:aaa: resolving |------|
elapsed: 0.7 s                                  total: 0.0 B (0.0 B/s)
INFO[0000] fetch failed after status: 404 Not Found
FATA[0000] failed to resolve reference: not found

This happens because the save command calls EnsureAllContent which tries to verify all layers remotely, causing the operation to fail even when all necessary layers are available locally.

Solution Add --skip-verify flag that allows users to bypass remote layer verification:

$ nerdctl save --skip-verify xxxxx.xxxx.xxxx:32443/ss/event-exporter:aaa -o aa.tar
INFO[0000] Skipping remote layer verification (--skip-verify enabled)
# Successfully exports the image

Changes

Add SkipVerify field to ImageSaveOptions type Add --skip-verify command line flag with descriptive help text Modify save logic to conditionally skip EnsureAllContent verification Add informative log message when verification is skipped Improve tag command logging for better user feedback Add test coverage for the new functionality

Behavior

With --skip-verify (new):

Skips remote layer verification Shows: INFO[xxxx] Skipping remote layer verification (--skip-verify enabled) Works offline/when original registry is unavailable Faster execution

Without --skip-verify (default):

Maintains existing behavior Ensures backward compatibility Still performs remote verification

Use Cases

Registry migration: Save images when old registry is decommissioned Offline environments: Export images without network access to original registry Network issues: Continue operations during temporary registry outages Air-gapped deployments: Prepare images for offline environments

Testing

Added TestSaveSkipVerify test case Verified command line flag parsing Confirmed backward compatibility Tested successful image export with both flags

Related Issues

Addresses user pain points related to:

Registry unavailability during image operations Network timeout issues in EnsureAllContent Inability to export locally available images

END

This change provides a practical solution for users who need to export images when the original registry is inaccessible, while maintaining full backward compatibility.

reckless-huang avatar Sep 17 '25 07:09 reckless-huang