diff --git a/hack/verify-lint.sh b/hack/verify-lint.sh
index 36ccec1c4..1765f3c4a 100755
--- a/hack/verify-lint.sh
+++ b/hack/verify-lint.sh
@@ -29,6 +29,7 @@ for d in $(find . -type d -a \( -iwholename './pkg*' -o -iwholename './cmd*' \)
 		 --disable=aligncheck \
 		 --disable=gotype \
 		 --disable=gas \
+		 --disable=gosec \
 		 --cyclo-over=60 \
 		 --dupl-threshold=100 \
 		 --tests \
diff --git a/pkg/containerd/importer/importer.go b/pkg/containerd/importer/importer.go
index 5b25bf9bd..0ec9b869c 100644
--- a/pkg/containerd/importer/importer.go
+++ b/pkg/containerd/importer/importer.go
@@ -87,13 +87,33 @@ type imageConfig struct {
 	img  ocispec.Image
 }
 
+type importConfig struct {
+	unpack      bool
+	snapshotter string
+}
+
+// ImportOption configures import behavior.
+type ImportOption func(*importConfig)
+
+// WithUnpack is used to unpack image after import.
+func WithUnpack(snapshotter string) ImportOption {
+	return func(c *importConfig) {
+		c.unpack = true
+		c.snapshotter = snapshotter
+	}
+}
+
 // Import implements Docker Image Spec v1.1.
 // An image MUST have `manifest.json`.
 // `repositories` file in Docker Image Spec v1.0 is not supported (yet).
 // Also, the current implementation assumes the implicit file name convention,
 // which is not explicitly documented in the spec. (e.g. foobar/layer.tar)
 // It returns a group of image references successfully loaded.
-func Import(ctx context.Context, client *containerd.Client, reader io.Reader) (_ []string, retErr error) {
+func Import(ctx context.Context, client *containerd.Client, reader io.Reader, opts ...ImportOption) (_ []string, retErr error) {
+	c := &importConfig{}
+	for _, o := range opts {
+		o(c)
+	}
 	ctx, done, err := client.WithLease(ctx)
 	if err != nil {
 		return nil, err
@@ -209,6 +229,12 @@ func Import(ctx context.Context, client *containerd.Client, reader io.Reader) (_
 				Name:   ref,
 				Target: *desc,
 			}
+			if c.unpack {
+				img := containerd.NewImage(client, imgrec)
+				if err := img.Unpack(ctx, c.snapshotter); err != nil {
+					return refs, errors.Wrapf(err, "unpack image %q", ref)
+				}
+			}
 			if _, err := is.Create(ctx, imgrec); err != nil {
 				if !errdefs.IsAlreadyExists(err) {
 					return refs, errors.Wrapf(err, "create image ref %+v", imgrec)
diff --git a/pkg/server/image_load.go b/pkg/server/image_load.go
index 2bd430716..d7f5ff842 100644
--- a/pkg/server/image_load.go
+++ b/pkg/server/image_load.go
@@ -39,7 +39,7 @@ func (c *criService) LoadImage(ctx context.Context, r *api.LoadImageRequest) (*a
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to open file")
 	}
-	repoTags, err := importer.Import(ctx, c.client, f)
+	repoTags, err := importer.Import(ctx, c.client, f, importer.WithUnpack(c.config.ContainerdConfig.Snapshotter))
 	if err != nil {
 		return nil, errors.Wrap(err, "failed to import image")
 	}
@@ -48,10 +48,6 @@ func (c *criService) LoadImage(ctx context.Context, r *api.LoadImageRequest) (*a
 		if err != nil {
 			return nil, errors.Wrapf(err, "failed to get image %q", repoTag)
 		}
-		if err := image.Unpack(ctx, c.config.ContainerdConfig.Snapshotter); err != nil {
-			logrus.WithError(err).Warnf("Failed to unpack image %q", repoTag)
-			// Do not fail image importing. Unpack will be retried when container creation.
-		}
 		info, err := getImageInfo(ctx, image)
 		if err != nil {
 			return nil, errors.Wrapf(err, "failed to get image %q info", repoTag)