support ocicrypt

Dockerfile

@@ -11,6 +11,8 @@ ARG CNI_ISOLATION_VERSION=0.0.3
 ARG BUILDKIT_VERSION=0.8.2
 # Extra deps: Lazy-pulling
 ARG STARGZ_SNAPSHOTTER_VERSION=0.4.1
+# Extra deps: Encryption
+ARG IMGCRYPT_VERSION=1.1.0
 # Extra deps: Rootless
 ARG ROOTLESSKIT_VERSION=0.14.0-beta.0
 ARG SLIRP4NETNS_VERSION=1.1.9
@@ -67,6 +69,11 @@ ARG STARGZ_SNAPSHOTTER_VERSION
 RUN curl -L https://github.com/containerd/stargz-snapshotter/releases/download/v${STARGZ_SNAPSHOTTER_VERSION}/stargz-snapshotter-v${STARGZ_SNAPSHOTTER_VERSION}-linux-${TARGETARCH:-amd64}.tar.gz | tar xzvC /out/bin && \
   curl -L -o /out/lib/systemd/system/stargz-snapshotter.service https://raw.githubusercontent.com/containerd/stargz-snapshotter/v${STARGZ_SNAPSHOTTER_VERSION}/script/config/etc/systemd/system/stargz-snapshotter.service && \
   echo "- Stargz Snapshotter: v${STARGZ_SNAPSHOTTER_VERSION}" >> /out/share/doc/nerdctl-full/README.md
+ARG IMGCRYPT_VERSION
+RUN git clone https://github.com/containerd/imgcrypt.git /go/src/github.com/containerd/imgcrypt && \
+  cd /go/src/github.com/containerd/imgcrypt && \
+  CGO_ENABLED=0 make && DESTDIR=/out make install && \
+  echo "- imgcrypt: v${IMGCRYPT_VERSION}" >> /out/share/doc/nerdctl-full/README.md
 ARG ROOTLESSKIT_VERSION
 RUN curl -L https://github.com/rootless-containers/rootlesskit/releases/download/v${ROOTLESSKIT_VERSION}/rootlesskit-$(uname -m).tar.gz | tar xzvC /out/bin && \
   rm -f /out/bin/rootlesskit-docker-proxy && \
@@ -86,9 +93,10 @@ RUN echo "" >> /out/share/doc/nerdctl-full/README.md && \
   echo "## License" >> /out/share/doc/nerdctl-full/README.md && \
   echo "- bin/slirp4netns:    [GNU GENERAL PUBLIC LICENSE, Version 2](https://github.com/rootless-containers/slirp4netns/blob/v${SLIRP4NETNS_VERSION}/COPYING)" >> /out/share/doc/nerdctl-full/README.md && \
   echo "- bin/fuse-overlayfs: [GNU GENERAL PUBLIC LICENSE, Version 3](https://github.com/containers/fuse-overlayfs/blob/v${FUSE_OVERLAYFS_VERSION}/COPYING)" >> /out/share/doc/nerdctl-full/README.md && \
-  echo "- Other files: [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0)" >> /out/share/doc/nerdctl-full/README.md
-RUN (cd /out && find ! -type d | sort | xargs sha256sum > /tmp/SHA256SUMS ) && \
-  mv /tmp/SHA256SUMS /out/share/doc/nerdctl-full/SHA256SUMS
+  echo "- Other files: [Apache License 2.0](https://www.apache.org/licenses/LICENSE-2.0)" >> /out/share/doc/nerdctl-full/README.md && \
+  (cd /out && find ! -type d | sort | xargs sha256sum > /tmp/SHA256SUMS ) && \
+  mv /tmp/SHA256SUMS /out/share/doc/nerdctl-full/SHA256SUMS && \
+  chown -R 0:0 /out
 
 FROM scratch AS out-full
 COPY --from=build-full /out /

README.md

@@ -1,4 +1,6 @@
-[**Download**](https://github.com/AkihiroSuda/nerdctl/releases)
+[[⬇️ **Download]**](https://github.com/AkihiroSuda/nerdctl/releases)
+[[📖 **Command reference]**](#command-reference)
+[[📚 **Additional documents]**](#additional-documents)
 
 # nerdctl: Docker-compatible CLI for containerd
 
@@ -10,6 +12,8 @@
 
  ✅ Supports [lazy-pulling (Stargz)](./docs/stargz.md)
 
+ ✅ Supports [encrypted images (ocicrypt)](./docs/ocicrypt.md)
+
 ## Examples
 
 ### Basic usage
@@ -69,19 +73,25 @@ docker run -it --rm --privileged nerdctl
 
 The goal of `nerdctl` is to facilitate experimenting the cutting-edge features of containerd that are not present in Docker.
 
-Such features includes, but not limited to, [lazy-pulling](./docs/stargz.md) and [encryption of images](https://github.com/containerd/imgcrypt).
+Such features includes, but not limited to, [lazy-pulling](./docs/stargz.md) and [encryption of images](./docs/ocicrypt.md).
 
 Note that competing with Docker is _not_ the goal of `nerdctl`. Those cutting-edge features are expected to be eventually available in Docker as well.
 
 Also, `nerdctl` might be potentially useful for debugging Kubernetes clusters, but it is not the primary goal.
 
 ## Features present in `nerdctl` but not present in Docker
+Major:
+- [Lazy-pulling using Stargz Snapshotter](./docs/stargz.md): `nerdctl --snapshotter=stargz run` .
+- [Running encrypted images using ocicrypt (imgcrypt)](./docs/ocicrypt.md)
+
+Minor:
 - Namespacing: `nerdctl --namespace=<NS> ps` . 
   (NOTE: All Kubernetes containers are in the `k8s.io` containerd namespace regardless to Kubernetes namespaces)
-- [Lazy-pulling using Stargz Snapshotter](./docs/stargz.md): `nerdctl --snapshotter=stargz run` .
 - Exporting Docker/OCI dual-format archives: `nerdctl save` .
 - Importing OCI archives as well as Docker archives: `nerdctl load` .
 - Specifying a non-image rootfs: `nerdctl run -it --rootfs <ROOTFS> /bin/sh` . The CLI syntax conforms to Podman convention.
+
+Trivial:
 - Inspecting raw OCI config: `nerdctl container inspect --mode=native` .
 
 ## Similar tools
@@ -497,3 +507,4 @@ Others:
 - [`./docs/registry.md`](./docs/registry.md): Registry authentication (`~/.docker/config.json`)
 - [`./docs/rootless.md`](./docs/rootless.md): Rootless mode
 - [`./docs/stargz.md`](./docs/stargz.md):     Lazy-pulling using Stargz Snapshotter
+- [`./docs/ocicrypt.md`](./docs/ocicrypt.md): Running encrypted images

docs/ocicrypt.md

@@ -0,0 +1,41 @@
+# OCIcrypt
+
+
+See https://github.com/containerd/imgcrypt to learn further information.
+
+## Encryption
+
+See https://github.com/containerd/imgcrypt
+
+## Decryption
+
+### Configuration
+Add the following configuration to `/etc/containerd/config.toml` (for rootless `~/.config/containerd/config.toml`):
+
+```toml
+version = 2
+
+[stream_processors]
+  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
+    accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
+    returns = "application/vnd.oci.image.layer.v1.tar+gzip"
+    path = "ctd-decoder"
+    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
+  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
+    accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
+    returns = "application/vnd.oci.image.layer.v1.tar"
+    path = "ctd-decoder"
+    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
+
+# NOTE: On rootless, ~/.config/containerd is mounted as /etc/containerd in the namespace.
+```
+
+Future version of containerd may have this configuration by default: https://github.com/containerd/containerd/pull/5135
+
+Then, put the private key files to `/etc/containerd/ocicrypt/keys` (for rootless `~/.config/containerd/ocicrypt/keys`).
+
+### nerdctl run
+
+No flag is needed for running encrypted images with `nerdctl run`.
+
+Just run `nerdctl run example.com/encrypted-image`.

go.mod

@@ -7,6 +7,7 @@ require (
 	github.com/containerd/console v1.0.1
 	github.com/containerd/containerd v1.5.0-beta.2
 	github.com/containerd/go-cni v1.0.1
+	github.com/containerd/imgcrypt v1.1.0
 	github.com/containerd/stargz-snapshotter v0.4.1
 	github.com/containerd/stargz-snapshotter/estargz v0.4.1
 	github.com/containerd/typeurl v1.0.1
@@ -32,6 +33,6 @@ require (
 	github.com/urfave/cli/v2 v2.3.0
 	golang.org/x/crypto v0.0.0-20201117144127-c1f2f97bffc9
 	golang.org/x/sync v0.0.0-20201207232520-09787c993a3a
-	golang.org/x/sys v0.0.0-20210119212857-b64e53b001e4
-	gotest.tools/v3 v3.0.2
+	golang.org/x/sys v0.0.0-20210124154548-22da62e12c0c
+	gotest.tools/v3 v3.0.3
 )