add imgcrypt stream processors to the default config

AkihiroSuda · AkihiroSuda · commit ecb881e5e6e3 · 2021-03-15T13:27:16.000+09:00
Enable the following config by default:

```toml
version = 2

[plugins."io.containerd.grpc.v1.cri".image_decryption]
  key_model = "node"

[stream_processors]
  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
    accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
    returns = "application/vnd.oci.image.layer.v1.tar+gzip"
    path = "ctd-decoder"
    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
    env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
  [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
    accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
    returns = "application/vnd.oci.image.layer.v1.tar"
    path = "ctd-decoder"
    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
    env = ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
```

Fix issue 5128

Signed-off-by: Akihiro Suda &lt;akihiro.suda.cz@hco.ntt.co.jp&gt;
diff --git a/cmd/containerd/command/config.go b/cmd/containerd/command/config.go
@@ -20,12 +20,15 @@ import (
 	gocontext "context"
 	"io"
 	"os"
+	"path/filepath"
 
 	"github.com/BurntSushi/toml"
 	"github.com/containerd/containerd/defaults"
+	"github.com/containerd/containerd/images"
 	"github.com/containerd/containerd/pkg/timeout"
 	"github.com/containerd/containerd/services/server"
 	srvconfig "github.com/containerd/containerd/services/server/config"
+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
 	"github.com/urfave/cli"
 )
 
@@ -125,7 +128,38 @@ func platformAgnosticDefaultConfig() *srvconfig.Config {
 			MaxRecvMsgSize: defaults.DefaultMaxRecvMsgSize,
 			MaxSendMsgSize: defaults.DefaultMaxSendMsgSize,
 		},
-		DisabledPlugins: []string{},
-		RequiredPlugins: []string{},
+		DisabledPlugins:  []string{},
+		RequiredPlugins:  []string{},
+		StreamProcessors: streamProcessors(),
+	}
+}
+
+func streamProcessors() map[string]srvconfig.StreamProcessor {
+	const (
+		ctdDecoder = "ctd-decoder"
+		basename   = "io.containerd.ocicrypt.decoder.v1"
+	)
+	decryptionKeysPath := filepath.Join(defaults.DefaultConfigDir, "ocicrypt", "keys")
+	ctdDecoderArgs := []string{
+		"--decryption-keys-path", decryptionKeysPath,
+	}
+	ctdDecoderEnv := []string{
+		"OCICRYPT_KEYPROVIDER_CONFIG=" + filepath.Join(defaults.DefaultConfigDir, "ocicrypt", "ocicrypt_keyprovider.conf"),
+	}
+	return map[string]srvconfig.StreamProcessor{
+		basename + ".tar.gzip": {
+			Accepts: []string{images.MediaTypeImageLayerGzipEncrypted},
+			Returns: ocispec.MediaTypeImageLayerGzip,
+			Path:    ctdDecoder,
+			Args:    ctdDecoderArgs,
+			Env:     ctdDecoderEnv,
+		},
+		basename + ".tar": {
+			Accepts: []string{images.MediaTypeImageLayerEncrypted},
+			Returns: ocispec.MediaTypeImageLayer,
+			Path:    ctdDecoder,
+			Args:    ctdDecoderArgs,
+			Env:     ctdDecoderEnv,
+		},
 	}
 }
diff --git a/docs/cri/decryption.md b/docs/cri/decryption.md
@@ -15,32 +15,31 @@ In this model encryption is tied to worker nodes. The usecase here revolves arou
 
 ### Configuring image decryption for "node" key model
 
-The default configuration does not handle decrypting encrypted container images.
+This is the default model since containerd v1.5.
 
-An example for configuring the "node" key model for container image decryption:
-
-Configure `cri` to enable decryption with "node" key model
+For containerd v1.4, you need to add the following configuration to `/etc/containerd/config.toml` and restart the `containerd` service manually.
 ```toml
+version = 2
+
 [plugins."io.containerd.grpc.v1.cri".image_decryption]
   key_model = "node"
-```
 
-Configure `containerd` daemon [`stream_processors`](https://github.com/containerd/containerd/blob/master/docs/stream_processors.md) to handle the
-encrypted mediatypes.
-```toml
 [stream_processors]
   [stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
     accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
     returns = "application/vnd.oci.image.layer.v1.tar+gzip"
-    path = "/usr/local/bin/ctd-decoder"
-    args = ["--decryption-keys-path", "/keys"]
+    path = "ctd-decoder"
+    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
+    env= ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
   [stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
     accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
     returns = "application/vnd.oci.image.layer.v1.tar"
-    path = "/usr/local/bin/ctd-decoder"
-    args = ["--decryption-keys-path", "/keys"]
+    path = "ctd-decoder"
+    args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
+    env= ["OCICRYPT_KEYPROVIDER_CONFIG=/etc/containerd/ocicrypt/ocicrypt_keyprovider.conf"]
 ```
 
-In this example, container image decryption is set to use the "node" key model. In addition, the decryption [`stream_processors`](https://github.com/containerd/containerd/blob/master/docs/stream_processors.md) are configured as specified in [containerd/imgcrypt project](https://github.com/containerd/imgcrypt), with the additional field `--decryption-keys-path` configured to specify where decryption keys are located locally in the node.
+In this example, container image decryption is set to use the "node" key model.
+In addition, the decryption [`stream_processors`](https://github.com/containerd/containerd/blob/master/docs/stream_processors.md) are configured as specified in [containerd/imgcrypt project](https://github.com/containerd/imgcrypt), with the additional field `--decryption-keys-path` configured to specify where decryption keys are located locally in the node.
 
-After modify this config, you need restart the `containerd` service.
+The `$OCICRYPT_KEYPROVIDER_CONFIG` environment variable is used for [ocicrypt keyprovider protocol](https://github.com/containers/ocicrypt/blob/master/docs/keyprovider.md).
diff --git a/images/mediatypes.go b/images/mediatypes.go
@@ -49,6 +49,9 @@ const (
 	MediaTypeContainerd1CheckpointRuntimeOptions = "application/vnd.containerd.container.checkpoint.runtime.options+proto"
 	// Legacy Docker schema1 manifest
 	MediaTypeDockerSchema1Manifest = "application/vnd.docker.distribution.manifest.v1+prettyjws"
+	// Encypted media types
+	MediaTypeImageLayerEncrypted     = ocispec.MediaTypeImageLayer + "+encrypted"
+	MediaTypeImageLayerGzipEncrypted = ocispec.MediaTypeImageLayerGzip + "+encrypted"
 )
 
 // DiffCompression returns the compression as defined by the layer diff media
diff --git a/pkg/cri/config/config_unix.go b/pkg/cri/config/config_unix.go
@@ -72,5 +72,8 @@ func DefaultConfig() PluginConfig {
 		TolerateMissingHugetlbController: true,
 		DisableHugetlbController:         true,
 		IgnoreImageDefinedVolumes:        false,
+		ImageDecryption: ImageDecryption{
+			KeyModel: KeyModelNode,
+		},
 	}
 }
diff --git a/pkg/cri/config/config_windows.go b/pkg/cri/config/config_windows.go
@@ -67,5 +67,9 @@ func DefaultConfig() PluginConfig {
 		MaxConcurrentDownloads:    3,
 		IgnoreImageDefinedVolumes: false,
 		// TODO(windows): Add platform specific config, so that most common defaults can be shared.
+
+		ImageDecryption: ImageDecryption{
+			KeyModel: KeyModelNode,
+		},
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -49,6 +49,9 @@ const (`
`49`	`49`	`MediaTypeContainerd1CheckpointRuntimeOptions = "application/vnd.containerd.container.checkpoint.runtime.options+proto"`
`50`	`50`	`// Legacy Docker schema1 manifest`
`51`	`51`	`MediaTypeDockerSchema1Manifest = "application/vnd.docker.distribution.manifest.v1+prettyjws"`
	`52`	`+ // Encypted media types`
	`53`	`+ MediaTypeImageLayerEncrypted = ocispec.MediaTypeImageLayer + "+encrypted"`
	`54`	`+ MediaTypeImageLayerGzipEncrypted = ocispec.MediaTypeImageLayerGzip + "+encrypted"`
`52`	`55`	`)`
`53`	`56`
`54`	`57`	`// DiffCompression returns the compression as defined by the layer diff media`
Original file line number	Diff line number	Diff line change
`@@ -72,5 +72,8 @@ func DefaultConfig() PluginConfig {`
`72`	`72`	`TolerateMissingHugetlbController: true,`
`73`	`73`	`DisableHugetlbController: true,`
`74`	`74`	`IgnoreImageDefinedVolumes: false,`
	`75`	`+ ImageDecryption: ImageDecryption{`
	`76`	`+ KeyModel: KeyModelNode,`
	`77`	`+ },`
`75`	`78`	`}`
`76`	`79`	`}`
Original file line number	Diff line number	Diff line change
`@@ -67,5 +67,9 @@ func DefaultConfig() PluginConfig {`
`67`	`67`	`MaxConcurrentDownloads: 3,`
`68`	`68`	`IgnoreImageDefinedVolumes: false,`
`69`	`69`	`// TODO(windows): Add platform specific config, so that most common defaults can be shared.`
	`70`	`+`
	`71`	`+ ImageDecryption: ImageDecryption{`
	`72`	`+ KeyModel: KeyModelNode,`
	`73`	`+ },`
`70`	`74`	`}`
`71`	`75`	`}`