diff --git a/README.md b/README.md index 414fc45f..5f65e34e 100644 --- a/README.md +++ b/README.md @@ -37,6 +37,10 @@ state = "/tmp/run/containerd" accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"] returns = "application/vnd.oci.image.layer.v1.tar+gzip" path = "/usr/local/bin/ctd-decoder" + [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.zstd"] + accepts = ["application/vnd.oci.image.layer.v1.tar+zstd+encrypted"] + returns = "application/vnd.oci.image.layer.v1.tar+zstd" + path = "/usr/local/bin/ctd-decoder" [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"] accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"] returns = "application/vnd.oci.image.layer.v1.tar" diff --git a/cmd/ctr/commands/img/utils.go b/cmd/ctr/commands/img/utils.go index e467ee55..cbf34147 100644 --- a/cmd/ctr/commands/img/utils.go +++ b/cmd/ctr/commands/img/utils.go @@ -57,8 +57,9 @@ func GetImageLayerDescriptors(ctx context.Context, cs content.Store, desc ocispe switch child.MediaType { case images.MediaTypeDockerSchema2LayerGzip, images.MediaTypeDockerSchema2Layer, - ocispec.MediaTypeImageLayerGzip, ocispec.MediaTypeImageLayer, - encocispec.MediaTypeLayerGzipEnc, encocispec.MediaTypeLayerEnc: + ocispec.MediaTypeImageLayerGzip, ocispec.MediaTypeImageLayerZstd, ocispec.MediaTypeImageLayer, + encocispec.MediaTypeLayerGzipEnc, encocispec.MediaTypeLayerEnc, + encocispec.MediaTypeLayerZstdEnc: tdesc := child tdesc.Platform = platform tmp = append(tmp, tdesc) diff --git a/images/encryption/encryption.go b/images/encryption/encryption.go index 291424d1..2fbbd269 100644 --- a/images/encryption/encryption.go +++ b/images/encryption/encryption.go @@ -60,7 +60,7 @@ func isLocalPlatform(platform *ocispec.Platform) bool { // IsEncryptedDiff returns true if mediaType is a known encrypted media type. func IsEncryptedDiff(ctx context.Context, mediaType string) bool { switch mediaType { - case encocispec.MediaTypeLayerGzipEnc, encocispec.MediaTypeLayerEnc: + case encocispec.MediaTypeLayerZstdEnc, encocispec.MediaTypeLayerGzipEnc, encocispec.MediaTypeLayerEnc: return true } return false @@ -113,12 +113,16 @@ func encryptLayer(cc *encconfig.CryptoConfig, dataReader content.ReaderAt, desc newDesc.MediaType = encocispec.MediaTypeLayerEnc case encocispec.MediaTypeLayerGzipEnc: newDesc.MediaType = encocispec.MediaTypeLayerGzipEnc + case encocispec.MediaTypeLayerZstdEnc: + newDesc.MediaType = encocispec.MediaTypeLayerZstdEnc case encocispec.MediaTypeLayerEnc: newDesc.MediaType = encocispec.MediaTypeLayerEnc // TODO: Mediatypes to be added in ocispec case ocispec.MediaTypeImageLayerGzip: newDesc.MediaType = encocispec.MediaTypeLayerGzipEnc + case ocispec.MediaTypeImageLayerZstd: + newDesc.MediaType = encocispec.MediaTypeLayerZstdEnc case ocispec.MediaTypeImageLayer: newDesc.MediaType = encocispec.MediaTypeLayerEnc @@ -145,6 +149,8 @@ func DecryptLayer(dc *encconfig.DecryptConfig, dataReader io.Reader, desc ocispe switch desc.MediaType { case encocispec.MediaTypeLayerGzipEnc: newDesc.MediaType = images.MediaTypeDockerSchema2LayerGzip + case encocispec.MediaTypeLayerZstdEnc: + newDesc.MediaType = ocispec.MediaTypeImageLayerZstd case encocispec.MediaTypeLayerEnc: newDesc.MediaType = images.MediaTypeDockerSchema2Layer default: @@ -170,6 +176,8 @@ func decryptLayer(cc *encconfig.CryptoConfig, dataReader content.ReaderAt, desc switch desc.MediaType { case encocispec.MediaTypeLayerGzipEnc: newDesc.MediaType = images.MediaTypeDockerSchema2LayerGzip + case encocispec.MediaTypeLayerZstdEnc: + newDesc.MediaType = ocispec.MediaTypeImageLayerZstd case encocispec.MediaTypeLayerEnc: newDesc.MediaType = images.MediaTypeDockerSchema2Layer default: @@ -284,7 +292,8 @@ func cryptChildren(ctx context.Context, cs content.Store, desc ocispec.Descripto case images.MediaTypeDockerSchema2Config, ocispec.MediaTypeImageConfig: config = child case images.MediaTypeDockerSchema2LayerGzip, images.MediaTypeDockerSchema2Layer, - ocispec.MediaTypeImageLayerGzip, ocispec.MediaTypeImageLayer: + ocispec.MediaTypeImageLayerGzip, ocispec.MediaTypeImageLayer, + ocispec.MediaTypeImageLayerZstd: if cryptoOp == cryptoOpEncrypt && lf(child) { nl, err := cryptLayer(ctx, cs, child, cc, cryptoOp) if err != nil { @@ -295,7 +304,7 @@ func cryptChildren(ctx context.Context, cs content.Store, desc ocispec.Descripto } else { newLayers = append(newLayers, child) } - case encocispec.MediaTypeLayerGzipEnc, encocispec.MediaTypeLayerEnc: + case encocispec.MediaTypeLayerGzipEnc, encocispec.MediaTypeLayerZstdEnc, encocispec.MediaTypeLayerEnc: // this one can be decrypted but also its recipients list changed if lf(child) { nl, err := cryptLayer(ctx, cs, child, cc, cryptoOp) diff --git a/script/tests/test_encryption.sh b/script/tests/test_encryption.sh index 2dd2a071..1e63d1d8 100755 --- a/script/tests/test_encryption.sh +++ b/script/tests/test_encryption.sh @@ -91,6 +91,11 @@ state = "${STATEDIR}" returns = "application/vnd.oci.image.layer.v1.tar+gzip" path = "${BIN}/ctd-decoder" + [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.zstd"] + accepts = ["application/vnd.oci.image.layer.v1.tar+zstd+encrypted"] + returns = "application/vnd.oci.image.layer.v1.tar+zstd" + path = "${BIN}/ctd-decoder" + [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"] accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"] returns = "application/vnd.oci.image.layer.v1.tar" @@ -130,6 +135,12 @@ state = "${STATEDIR}" path = "${BIN}/ctd-decoder" args = ["--decryption-keys-path", "${LOCAL_KEYS_PATH}"] + [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.zstd"] + accepts = ["application/vnd.oci.image.layer.v1.tar+zsdt+encrypted"] + returns = "application/vnd.oci.image.layer.v1.tar+zstd" + path = "${BIN}/ctd-decoder" + args = ["--decryption-keys-path", "${LOCAL_KEYS_PATH}"] + [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"] accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"] returns = "application/vnd.oci.image.layer.v1.tar"