What is the problem you're trying to solve
ocicrypt cannot be used with the default config, though CRI plugins provides built-in support for ocicrypt.
Describe the solution you'd like
Add the following config to the default /etc/containerd/config.toml
[stream_processors]
[stream_processors."io.containerd.ocicrypt.decoder.v1.tar.gzip"]
accepts = ["application/vnd.oci.image.layer.v1.tar+gzip+encrypted"]
returns = "application/vnd.oci.image.layer.v1.tar+gzip"
path = "ctd-decoder"
args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]
[stream_processors."io.containerd.ocicrypt.decoder.v1.tar"]
accepts = ["application/vnd.oci.image.layer.v1.tar+encrypted"]
returns = "application/vnd.oci.image.layer.v1.tar"
path = "ctd-decoder"
args = ["--decryption-keys-path", "/etc/containerd/ocicrypt/keys"]Additional context
We should make sure that the daemon can start up when ctd-decoder is not present in the $PATH, or /etc/containerd/ocicrypt/keys does not exist.
What is the problem you're trying to solve
ocicrypt cannot be used with the default config, though CRI plugins provides built-in support for ocicrypt.
Describe the solution you'd like
Add the following config to the default
/etc/containerd/config.tomlAdditional context
We should make sure that the daemon can start up when
ctd-decoderis not present in the$PATH, or/etc/containerd/ocicrypt/keysdoes not exist.