image-rs: add encrypted nydus image tests #469
Conversation
ChengyuZhu6
requested review from
sameo,
jiangliu,
arronwy,
lumjjb,
jialez0 and
Xynnn007
as code owners
ChengyuZhu6
force-pushed
the
nydus-encrypted
branch
3 times, most recently
from
438df55
to
c75da0c
Compare
ChengyuZhu6
force-pushed
the
nydus-encrypted
branch
7 times, most recently
from
08bc2b7
to
f201d46
Compare
ChengyuZhu6
force-pushed
the
nydus-encrypted
branch
8 times, most recently
from
5f6816b
to
4faeaad
Compare
image-rs/tests/image_decryption.rs
Outdated
| @@ -43,6 +43,8 @@ const OCICRYPT_CONFIG: &str = "test_data/ocicrypt_keyprovider_ttrpc.conf"; | |||
| #[rstest::rstest] | |||
| #[case("ghcr.io/confidential-containers/test-container:unencrypted")] | |||
| #[case("ghcr.io/confidential-containers/test-container:encrypted")] | |||
| #[cfg_attr(not(feature = "nydus"), ignore)] | |||
| #[case("ghcr.io/chengyuzhu6/busybox:encrypted-nydus")] | |||
There was a problem hiding this comment.
Hi @fitzthum can you help to copy this image to CoCo repo?
skopeo copy docker://ghcr.io/chengyuzhu6/busybox:encrypted-nydus docker://ghcr.io/confidential-containers/test-container-image-rs:busybox-encrypted-nydus
There was a problem hiding this comment.
Hm skopeo complains when I run that command
FATA[0000] initializing image from source docker://ghcr.io/chengyuzhu6/busybox:encrypted-nydus: unsupported docker v2s2 media type: "application/vnd.oci.image.layer.nydus.blob.v1"
I can take a deeper look at it tomorrow. Maybe I need to update skopeo or something.
There was a problem hiding this comment.
Hey @fitzthum. To push a nydus image, we need to use special tools called nydusify and nydus-image. The following steps show how to push the nydus image:
- Get
nydus-imageandnydusifybinaries from release, for example :
$ wget https://github.com/dragonflyoss/nydus/releases/download/v2.2.4/nydus-static-v2.2.4-linux-amd64.tgz
$ tar -xf nydus-static-v2.2.4-linux-amd64.tgz- Push nydus image from source to target registry, for example :
cd nydus-static
./nydusify convert --source ghcr.io/chengyuzhu6/busybox:encrypted-nydus --target docker.io/zcy1234/busybox:encrypted-nydus --nydus-image ./nydus-imageI had successfully pushed the image to docker.io registry https://github.com/confidential-containers/guest-components/actions/runs/7825705239/job/21350313511?pr=473.
There was a problem hiding this comment.
Whoops I missed your comment. Thanks for the instructions. I pushed the image to ghcr.io/confidential-containers/busybox:nydus-encrypted. Slightly different than the name suggested but I think this is a bit more generic. Can change it if needed.
Let's make sure to add these instructions somewhere for users once the feature is supported.
There was a problem hiding this comment.
@fitzthum Would you kindly change the visibility of "ghcr.io/confidential-containers/busybox" to public? Currently, it is set to private, but CI need it to be public. https://github.com/confidential-containers/guest-components/actions/runs/7945843889/job/21692935674?pr=469#:~:text=failed%20to%20download,160
ChengyuZhu6
force-pushed
the
nydus-encrypted
branch
from
4faeaad
to
752283f
Compare
ChengyuZhu6
force-pushed
the
nydus-encrypted
branch
from
752283f
to
2ed8548
Compare
Add encrypted nydus image tests. Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
ChengyuZhu6
force-pushed
the
nydus-encrypted
branch
from
2ed8548
to
d4ee83c
Compare
Add encrypted nydus image tests.