add imgcrypt stream processors to the default config

Enable the following config by default: ```toml version = 2 [plugins."io.containerd.grpc.v1.cri".image_decryption] key_model = "node" [stream_processors] [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"] accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"] returns = "application/vnd.oci.image.layer.v1.tar+gzip" path = "ctd-decoder" args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"] env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"] [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"] accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"] returns = "application/vnd.oci.image.layer.v1.tar" path = "ctd-decoder" args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"] env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"] ``` Fix issue 5128 Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>
2021-03-08 18:06:04 +09:00
parent ac2726e12c
commit ecb881e5e6
5 changed files with 59 additions and 16 deletions
--- a/cmd/containerd/command/config.go
+++ b/cmd/containerd/command/config.go
@@ -20,12 +20,15 @@ import (
 	gocontext "context"
 	"io"
 	"os"
+	"path/filepath"

 	"github.com/BurntSushi/toml"
 	"github.com/containerd/containerd/defaults"
+	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/pkg/timeout"
 	"github.com/containerd/containerd/services/server"
 	srvconfig "github.com/containerd/containerd/services/server/config"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/urfave/cli"
 )

@@ -125,7 +128,38 @@ func platformAgnosticDefaultConfig() *srvconfig.Config {
 			MaxRecvMsgSize: defaults.DefaultMaxRecvMsgSize,
 			MaxSendMsgSize: defaults.DefaultMaxSendMsgSize,
 		},
-		DisabledPlugins: []string{},
-		RequiredPlugins: []string{},
+		DisabledPlugins:  []string{},
+		RequiredPlugins:  []string{},
+		StreamProcessors: streamProcessors(),
+	}
+}
+
+func streamProcessors() map[string]srvconfig.StreamProcessor {
+	const (
+		ctdDecoder = "ctd-decoder"
+		basename   = "io.containerd.ocicrypt.decoder.v1"
+	)
+	decryptionKeysPath := filepath.Join(defaults.DefaultConfigDir, "ocicrypt", "keys")
+	ctdDecoderArgs := []string{
+		"--decryption-keys-path", decryptionKeysPath,
+	}
+	ctdDecoderEnv := []string{
+		"OCICRYPT_KEYPROVIDER_CONFIG=" + filepath.Join(defaults.DefaultConfigDir, "ocicrypt", "ocicrypt_keyprovider.conf"),
+	}
+	return map[string]srvconfig.StreamProcessor{
+		basename + ".tar.gzip": {
+			Accepts: []string{images.MediaTypeImageLayerGzipEncrypted},
+			Returns: ocispec.MediaTypeImageLayerGzip,
+			Path:    ctdDecoder,
+			Args:    ctdDecoderArgs,
+			Env:     ctdDecoderEnv,
+		},
+		basename + ".tar": {
+			Accepts: []string{images.MediaTypeImageLayerEncrypted},
+			Returns: ocispec.MediaTypeImageLayer,
+			Path:    ctdDecoder,
+			Args:    ctdDecoderArgs,
+			Env:     ctdDecoderEnv,
+		},
 	}
 }