From 0a55082cd4cb0ac2614a16fe3082b7728087b8ba Mon Sep 17 00:00:00 2001 From: taohong Date: Fri, 21 Jul 2023 11:03:03 +0800 Subject: [PATCH] feat: support convertion to encrypted nydus image Support convering oci image to encrypted nydus image. Signed-off-by: taohong --- go.mod | 2 +- go.sum | 4 +- pkg/driver/nydus/nydus.go | 81 ++++++++++++++++++++++----------------- 3 files changed, 48 insertions(+), 39 deletions(-) diff --git a/go.mod b/go.mod index c9622fc0..d1d5c56c 100644 --- a/go.mod +++ b/go.mod @@ -4,7 +4,7 @@ go 1.18 require ( github.com/containerd/containerd v1.7.2 - github.com/containerd/nydus-snapshotter v0.9.0 + github.com/containerd/nydus-snapshotter v0.10.0 github.com/containerd/stargz-snapshotter v0.14.3 github.com/containerd/stargz-snapshotter/estargz v0.14.3 github.com/docker/cli v23.0.3+incompatible diff --git a/go.sum b/go.sum index b7193f0c..3c5622cc 100644 --- a/go.sum +++ b/go.sum @@ -66,8 +66,8 @@ github.com/containerd/continuity v0.4.1 h1:wQnVrjIyQ8vhU2sgOiL5T07jo+ouqc2bnKsv5 github.com/containerd/continuity v0.4.1/go.mod h1:F6PTNCKepoxEaXLQp3wDAjygEnImnZ/7o4JzpodfroQ= github.com/containerd/fifo v1.1.0 h1:4I2mbh5stb1u6ycIABlBw9zgtlK8viPI9QkQNRQEEmY= github.com/containerd/fifo v1.1.0/go.mod h1:bmC4NWMbXlt2EZ0Hc7Fx7QzTFxgPID13eH0Qu+MAb2o= -github.com/containerd/nydus-snapshotter v0.9.0 h1:f0Tr3srVKDlURgLG/Kocy4WQIYsmSoc8ihHxdzfB2S0= -github.com/containerd/nydus-snapshotter v0.9.0/go.mod h1:xEsAzeM0gZEW6POBPOa+1X7EThYsEJNWnO/fhf2moYU= +github.com/containerd/nydus-snapshotter v0.10.0 h1:aCQoKmksOmZ2C34znlhOCOlYExiw4s/UPPzbIFKQc8U= +github.com/containerd/nydus-snapshotter v0.10.0/go.mod h1:xEsAzeM0gZEW6POBPOa+1X7EThYsEJNWnO/fhf2moYU= github.com/containerd/stargz-snapshotter v0.14.3 h1:OTUVZoPSPs8mGgmQUE1dqw3WX/3nrsmsurW7UPLWl1U= github.com/containerd/stargz-snapshotter v0.14.3/go.mod h1:j2Ya4JeA5gMZJr8BchSkPjlcCEh++auAxp4nidPI6N0= github.com/containerd/stargz-snapshotter/estargz v0.14.3 h1:OqlDCK3ZVUO6C3B/5FSkDwbkEETK84kQgEeFwDC+62k= diff --git a/pkg/driver/nydus/nydus.go b/pkg/driver/nydus/nydus.go index 2c8b3cf3..79543638 100644 --- a/pkg/driver/nydus/nydus.go +++ b/pkg/driver/nydus/nydus.go @@ -63,20 +63,21 @@ type chunkDictInfo struct { } type Driver struct { - workDir string - builderPath string - fsVersion string - compressor string - chunkDictRef string - mergeManifest bool - ociRef bool - docker2oci bool - alignedChunk bool - chunkSize string - batchSize string - prefetchPatterns string - backend backend.Backend - platformMC platforms.MatchComparer + workDir string + builderPath string + fsVersion string + compressor string + chunkDictRef string + mergeManifest bool + ociRef bool + docker2oci bool + alignedChunk bool + chunkSize string + batchSize string + prefetchPatterns string + backend backend.Backend + platformMC platforms.MatchComparer + encryptRecipients []string } func detectBuilderVersion(ctx context.Context, builder string) string { @@ -174,26 +175,32 @@ func New(cfg map[string]string, platformMC platforms.MatchComparer) (*Driver, er return nil, errors.Wrap(err, "invalid oci_ref option") } + encryptRecipients := []string{} + if cfg["encrypt_recipients"] != "" { + encryptRecipients = strings.Split(cfg["encrypt_recipients"], ",") + } + if ociRef && fsVersion != "6" { logrus.Warn("forcibly using fs version 6 when oci_ref option enabled") fsVersion = "6" } return &Driver{ - workDir: workDir, - builderPath: builderPath, - fsVersion: fsVersion, - compressor: compressor, - chunkDictRef: chunkDictRef, - mergeManifest: mergeManifest, - ociRef: ociRef, - docker2oci: docker2oci, - alignedChunk: fsAlignChunk, - chunkSize: fsChunkSize, - batchSize: BatchSize, - prefetchPatterns: prefetchPatterns, - backend: _backend, - platformMC: platformMC, + workDir: workDir, + builderPath: builderPath, + fsVersion: fsVersion, + compressor: compressor, + chunkDictRef: chunkDictRef, + mergeManifest: mergeManifest, + ociRef: ociRef, + docker2oci: docker2oci, + alignedChunk: fsAlignChunk, + chunkSize: fsChunkSize, + batchSize: BatchSize, + prefetchPatterns: prefetchPatterns, + backend: _backend, + platformMC: platformMC, + encryptRecipients: encryptRecipients, }, nil } @@ -244,16 +251,18 @@ func (d *Driver) convert(ctx context.Context, provider accelcontent.Provider, so AlignedChunk: d.alignedChunk, ChunkSize: d.chunkSize, BatchSize: d.batchSize, + Encrypt: len(d.encryptRecipients) != 0, } mergeOpt := nydusify.MergeOption{ - WorkDir: packOpt.WorkDir, - BuilderPath: packOpt.BuilderPath, - FsVersion: packOpt.FsVersion, - ChunkDictPath: packOpt.ChunkDictPath, - PrefetchPatterns: packOpt.PrefetchPatterns, - Backend: packOpt.Backend, - OCI: d.docker2oci, - OCIRef: packOpt.OCIRef, + WorkDir: packOpt.WorkDir, + BuilderPath: packOpt.BuilderPath, + FsVersion: packOpt.FsVersion, + ChunkDictPath: packOpt.ChunkDictPath, + PrefetchPatterns: packOpt.PrefetchPatterns, + Backend: packOpt.Backend, + OCI: d.docker2oci, + OCIRef: packOpt.OCIRef, + EncryptRecipients: d.encryptRecipients, } convertHookFunc := func( ctx context.Context, cs content.Store, orgDesc ocispec.Descriptor, newDesc *ocispec.Descriptor,