Encryption check failing for zstd-compressed images

[ttttodorov]

zstd is in the process of being formalized in the OCI images spec and is yet to be supported by e.g. Moby regarding distribution via image registries. Containerd already provides support for it via using the newly introduced MediaType application/vnd.oci.image.layer.v1.tar+zstd .

The current Kanto container management component uses imgcrypt's library to perform a mandatory image encryption check based on the image's metadata and the configuration provided for using the image. Trying to spin up even a simple container using a non-encrypted zstd-compressed image, though, currently fails with the following error:

Error: rpc error: code = Unknown desc = you are not authorized to use this image: bad/unhandled MediaType application/vnd.oci.image.layer.v1.tar+zstd in encryptChildren

To reproduce the issue one can use skopeo to change the compression of a simple hello-world image and then push it to a private/local registry, e.g.:

1. Use skopeo copy to create a zstd-compressed image and push it locally:

$ skopeo copy --dest-compress-format=zstd docker://hello-world docker://<some-plain-http-local-ip:port>/hello-world-zstd:latest --dest-tls-verify=false

2. Use skopeo inspect to check the result pushed image compression:

$ skopeo inspect --raw docker://<some-plain-http-local-ip:port>/hello-world-zstd:latest --tls-verify=false | jq -r '.layers[].mediaType'

[k-gostev]

I can check this, please assign me to this issue if possible.

edit:
Looks like there is no handling for application/vnd.oci.image.layer.v1.tar+zstd in the cryptChildren(...) method in the imgcrypt library, so it goes in the default case, hence the error that is observed. Also, I could not find any issue issue on this topic or any relevant documentation.

[k-gostev]

I have opened an issue in contained/imgcrypt: containerd/imgcrypt#95