> ## Documentation Index
> Fetch the complete documentation index at: https://docs.tokenfactory.nebius.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Import a container image from a registry

> Imports the OCI image filesystem content of from a specified registry.

Important limitations and behavior:

- Only the image root filesystem (files and directories) is imported. This is like to the output of
  `docker export` and does not preserve layers metadata.
- Most image configuration and manifest data are ignored. Metadata such as `LABEL`,
  `ENTRYPOINT`, `CMD`, `WORKDIR`, `EXPOSE` and other image configuration directives
  will **NOT be imported or applied**.
- `ENV` variables defined in the image **are imported** and automatically applied to the
  instance environment when `shell` is set to `true`. When `shell` is `false`, image
  environment variables are not inherited and must be passed explicitly via the `env` field.
- The result is a flat rootfs snapshot with preserved environment variables.
- If the specified tag already exists in the public images, the imported image will replace it.
  To avoid this, you can tag the existing image with a different tag for use it later.
  You also can use image UUIDs it is not changing for imported and existend image.
- In case the remote image is unchanged and already imported, the operation will complete and the same UUID
  will be returned without re-importing the image.

The request creates an import operation which runs asynchronously.




## OpenAPI

````yaml https://eu-north.nebius.computer/static/api.yaml post /images/import
openapi: 3.0.0
info:
  title: Contree API
  description: >
    Contree is a container management system combining virtual machine isolation
    with container operational efficiency. 

    Designed for security-sensitive workloads requiring hardware-enforced
    boundaries while maintaining

    container workflow compatibility.
  version: 1.0.0
servers:
  - url: '{baseUrl}/v1'
    description: |
      Nebius IAM-fronted endpoint (use `IAMBearerAuth` + `IAMProjectHeader`).
      Override `baseUrl` to point at a different deployment.
    variables:
      baseUrl:
        default: https://api.tokenfactory.nebius.com/sandboxes
        description: |
          Base URL of the contree service. Defaults to the public Nebius
          IAM-fronted endpoint; set to your self-hosted contree origin
          (e.g. `https://contree.example.com`) when running elsewhere.
security:
  - IAMBearerAuth: []
    IAMProjectHeader: []
tags:
  - name: images
    description: Operations related to container images
  - name: files
    description: Operations related to file uploads
  - name: instances
    description: Operations related to container instances
  - name: inspect
    description: Operations related to inspecting container images
  - name: operations
    description: Operations related to long-running operations
  - name: auth
    description: Authentication and token introspection
paths:
  /images/import:
    post:
      tags:
        - images
      summary: Import a container image from a registry
      description: >
        Imports the OCI image filesystem content of from a specified registry.


        Important limitations and behavior:


        - Only the image root filesystem (files and directories) is imported.
        This is like to the output of
          `docker export` and does not preserve layers metadata.
        - Most image configuration and manifest data are ignored. Metadata such
        as `LABEL`,
          `ENTRYPOINT`, `CMD`, `WORKDIR`, `EXPOSE` and other image configuration directives
          will **NOT be imported or applied**.
        - `ENV` variables defined in the image **are imported** and
        automatically applied to the
          instance environment when `shell` is set to `true`. When `shell` is `false`, image
          environment variables are not inherited and must be passed explicitly via the `env` field.
        - The result is a flat rootfs snapshot with preserved environment
        variables.

        - If the specified tag already exists in the public images, the imported
        image will replace it.
          To avoid this, you can tag the existing image with a different tag for use it later.
          You also can use image UUIDs it is not changing for imported and existend image.
        - In case the remote image is unchanged and already imported, the
        operation will complete and the same UUID
          will be returned without re-importing the image.

        The request creates an import operation which runs asynchronously.
      operationId: importImage
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/ImageImportRequest'
      responses:
        '201':
          description: Created - The request has been accepted for processing
          headers:
            Location:
              schema:
                type: string
              description: URL to check the operation status
              example: /v1/operations/12345678-9abc-baba-deda-0123456789ab
          content:
            application/json:
              schema:
                type: object
                required:
                  - uuid
                properties:
                  uuid:
                    $ref: '#/components/schemas/UUIDSchema'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
components:
  schemas:
    ImageImportRequest:
      type: object
      required:
        - registry
      properties:
        registry:
          type: object
          required:
            - url
          properties:
            url:
              type: string
              description: URL of the container registry
              example: docker://docker.io/busybox:latest
            credentials:
              type: object
              properties:
                username:
                  type: string
                  description: Username for the registry authentication
                  example: myuser
                password:
                  type: string
                  description: Password for the registry authentication
                  example: secret
                  format: password
        tag:
          type: string
          nullable: true
          description: >-
            Tag to identify the image when listing publicly available images. If
            omitted, the image will be private and only accessible by ID.
          example: busybox:latest
        timeout:
          type: integer
          description: Maximum time in seconds to wait for the import operation to complete
          default: 300
          example: 300
    UUIDSchema:
      type: string
      format: uuid
      description: A UUID string
      example: 12345678-9abc-baba-deda-0123456789ab
    Error:
      type: object
      required:
        - error
      properties:
        error:
          oneOf:
            - type: string
            - type: object
            - type: array
              items:
                type: object
          description: Error message or structured validation errors
          example: Some error occurred, this is an example of error message
        status:
          type: integer
          description: HTTP status code
          example: 500
        traceback:
          type: array
          items:
            type: string
  responses:
    BadRequest:
      description: Bad Request - Invalid request parameters
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    Unauthorized:
      description: |
        Unauthorized - Invalid or missing authentication credentials.
        Either the `Authorization` bearer token is missing or invalid, or
        the `Project` header is missing.
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    Forbidden:
      description: Forbidden - Token does not have sufficient permissions
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
    NotFound:
      description: Not Found - The requested resource does not exist
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
  securitySchemes:
    IAMBearerAuth:
      type: http
      scheme: bearer
      bearerFormat: IAM
      description: |
        IAM bearer token issued by the Nebius IAM service. Sent as
        `Authorization: Bearer <iam-token>`. Must be combined with the
        `Project` header (see `IAMProjectHeader`).

        This is the recommended authentication scheme for new clients.
    IAMProjectHeader:
      type: apiKey
      in: header
      name: Project
      description: |
        Nebius project ID associated with the IAM token. Required together
        with `IAMBearerAuth`. Identifies the project context the request is
        scoped to.

````