Add support for zstd type of compressed layers

Signed-off-by: Stefan Berger <stefanb@linux.ibm.com>
Resolves: containerd#95

README.md

@@ -37,6 +37,10 @@ state = "/tmp/run/containerd"
         accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
         returns = "application/vnd.oci.image.layer.v1.tar+gzip"
         path = "/usr/local/bin/ctd-decoder"
+    [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.zstd"]
+        accepts = ["application/vnd.oci.image.layer.v1.tar+zstd+encrypted"]
+        returns = "application/vnd.oci.image.layer.v1.tar+zstd"
+        path = "/usr/local/bin/ctd-decoder"
     [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
         accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
         returns = "application/vnd.oci.image.layer.v1.tar"

cmd/ctr/commands/img/utils.go

@@ -58,7 +58,8 @@ func GetImageLayerDescriptors(ctx context.Context, cs content.Store, desc ocispe
 			switch child.MediaType {
 			case images.MediaTypeDockerSchema2LayerGzip, images.MediaTypeDockerSchema2Layer,
 				ocispec.MediaTypeImageLayerGzip, ocispec.MediaTypeImageLayer,
-				encocispec.MediaTypeLayerGzipEnc, encocispec.MediaTypeLayerEnc:
+				encocispec.MediaTypeLayerGzipEnc, encocispec.MediaTypeLayerEnc,
+				encocispec.MediaTypeLayerZstdEnc:
 				tdesc := child
 				tdesc.Platform = platform
 				tmp = append(tmp, tdesc)

images/encryption/encryption.go

@@ -60,7 +60,7 @@ func isLocalPlatform(platform *ocispec.Platform) bool {
 // IsEncryptedDiff returns true if mediaType is a known encrypted media type.
 func IsEncryptedDiff(ctx context.Context, mediaType string) bool {
 	switch mediaType {
-	case encocispec.MediaTypeLayerGzipEnc, encocispec.MediaTypeLayerEnc:
+	case encocispec.MediaTypeLayerZstdEnc, encocispec.MediaTypeLayerGzipEnc, encocispec.MediaTypeLayerEnc:
 		return true
 	}
 	return false
@@ -113,12 +113,16 @@ func encryptLayer(cc *encconfig.CryptoConfig, dataReader content.ReaderAt, desc
 		newDesc.MediaType = encocispec.MediaTypeLayerEnc
 	case encocispec.MediaTypeLayerGzipEnc:
 		newDesc.MediaType = encocispec.MediaTypeLayerGzipEnc
+	case encocispec.MediaTypeLayerZstdEnc:
+		newDesc.MediaType = encocispec.MediaTypeLayerZstdEnc
 	case encocispec.MediaTypeLayerEnc:
 		newDesc.MediaType = encocispec.MediaTypeLayerEnc
 
 	// TODO: Mediatypes to be added in ocispec
 	case ocispec.MediaTypeImageLayerGzip:
 		newDesc.MediaType = encocispec.MediaTypeLayerGzipEnc
+	case ocispec.MediaTypeImageLayerZstd:
+		newDesc.MediaType = encocispec.MediaTypeLayerZstdEnc
 	case ocispec.MediaTypeImageLayer:
 		newDesc.MediaType = encocispec.MediaTypeLayerEnc
 
@@ -145,6 +149,8 @@ func DecryptLayer(dc *encconfig.DecryptConfig, dataReader io.Reader, desc ocispe
 	switch desc.MediaType {
 	case encocispec.MediaTypeLayerGzipEnc:
 		newDesc.MediaType = images.MediaTypeDockerSchema2LayerGzip
+	case encocispec.MediaTypeLayerZstdEnc:
+		newDesc.MediaType = ocispec.MediaTypeImageLayerZstd
 	case encocispec.MediaTypeLayerEnc:
 		newDesc.MediaType = images.MediaTypeDockerSchema2Layer
 	default:
@@ -170,6 +176,8 @@ func decryptLayer(cc *encconfig.CryptoConfig, dataReader content.ReaderAt, desc
 	switch desc.MediaType {
 	case encocispec.MediaTypeLayerGzipEnc:
 		newDesc.MediaType = images.MediaTypeDockerSchema2LayerGzip
+	case encocispec.MediaTypeLayerZstdEnc:
+		newDesc.MediaType = ocispec.MediaTypeImageLayerZstd
 	case encocispec.MediaTypeLayerEnc:
 		newDesc.MediaType = images.MediaTypeDockerSchema2Layer
 	default:
@@ -284,7 +292,8 @@ func cryptChildren(ctx context.Context, cs content.Store, desc ocispec.Descripto
 		case images.MediaTypeDockerSchema2Config, ocispec.MediaTypeImageConfig:
 			config = child
 		case images.MediaTypeDockerSchema2LayerGzip, images.MediaTypeDockerSchema2Layer,
-			ocispec.MediaTypeImageLayerGzip, ocispec.MediaTypeImageLayer:
+			ocispec.MediaTypeImageLayerGzip, ocispec.MediaTypeImageLayer,
+			ocispec.MediaTypeImageLayerZstd:
 			if cryptoOp == cryptoOpEncrypt && lf(child) {
 				nl, err := cryptLayer(ctx, cs, child, cc, cryptoOp)
 				if err != nil {
@@ -295,7 +304,7 @@ func cryptChildren(ctx context.Context, cs content.Store, desc ocispec.Descripto
 			} else {
 				newLayers = append(newLayers, child)
 			}
-		case encocispec.MediaTypeLayerGzipEnc, encocispec.MediaTypeLayerEnc:
+		case encocispec.MediaTypeLayerGzipEnc, encocispec.MediaTypeLayerZstdEnc, encocispec.MediaTypeLayerEnc:
 			// this one can be decrypted but also its recipients list changed
 			if lf(child) {
 				nl, err := cryptLayer(ctx, cs, child, cc, cryptoOp)

script/tests/test_encryption.sh

@@ -91,6 +91,11 @@ state = "${STATEDIR}"
 	returns = "application/vnd.oci.image.layer.v1.tar+gzip"
 	path = "${BIN}/ctd-decoder"
 
+    [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.zstd"]
+	accepts = ["application/vnd.oci.image.layer.v1.tar+zstd+encrypted"]
+	returns = "application/vnd.oci.image.layer.v1.tar+zstd"
+	path = "${BIN}/ctd-decoder"
+
     [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
 	accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
 	returns = "application/vnd.oci.image.layer.v1.tar"
@@ -130,6 +135,12 @@ state = "${STATEDIR}"
 	path = "${BIN}/ctd-decoder"
 	args = ["--decryption-keys-path", "${LOCAL_KEYS_PATH}"]
 
+    [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.zstd"]
+	accepts = ["application/vnd.oci.image.layer.v1.tar+zsdt+encrypted"]
+	returns = "application/vnd.oci.image.layer.v1.tar+zstd"
+	path = "${BIN}/ctd-decoder"
+	args = ["--decryption-keys-path", "${LOCAL_KEYS_PATH}"]
+
     [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
 	accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
 	returns = "application/vnd.oci.image.layer.v1.tar"