Harshal Patil
Harshal Patil
@cgwalters I had worked on adding the image encryption support for [CRIO](https://github.com/cri-o/cri-o/pull/2813) as well as [skopeo](https://github.com/containers/skopeo/pull/732). I would love to take this up, if no one else has already started...
Notes. - Potentially [this](https://github.com/confidential-containers/guest-components/blob/f154a72ad86647bfb440cdf4ac0436cbd4dcdaba/image-rs/src/decrypt.rs#L41) decryptor can be used to decrypt the image layers.
@vrothberg good point, I haven't looked closely the bootc code. I was assuming it was written completely in rust which might require rust implementation of c/image to decrypt the images....
>Nice to see you again, @harche 👋 Nice to see you too @vrothberg :) >Right, bootc depends on [ostree-ext](https://github.com/ostreedev/ostree-rs-ext#ostree-ext) and that repo has the dependency graph for the architecture. @cgwalters...
> > confidential computing folks already did - just not all of it > > Do you have a pointer? Curious to catch up on that. https://github.com/confidential-containers/guest-components/blob/main/image-rs/docs/design.md#design IIRC, within Redhat...
> > I very strongly urge to not rewrite the containers/image library in Rust or any other language. > > Well, the confidential computing folks already did - just not...
> > https://github.com/confidential-containers/guest-components/blob/main/image-rs/docs/design.md#design > > IIRC, within Redhat they are in #forum-sandboxed-containers and #wg-confidential-computing in slack. > > Thanks for the pointers, @harche! So are Red Hatters contributing to the...
Bootc currently employs the `skopeo image proxy` for the retrieval of container images. It uses the [GetBlob](https://github.com/containers/skopeo/blob/89e7a5e4bb542c0daafb90daaf26e8e8e41637e9/cmd/skopeo/proxy.go#L577) method of the proxy to [fetch a specific blob](https://github.com/ostreedev/ostree-rs-ext/blob/8737da95164620dd68cf22f9b9fbe7d2be2c5c74/lib/src/container/unencapsulate.rs#L236). Subsequently, Bootc independently [decompresses...
> It's on need basis. For confidential containers (CoCo) based on Kata, image-rs is the component that's responsible for handling the images (download, decryption). > > Julien (@littlejawa) will have...
> I like @cgwalters idea as I interpret it as reducing complexity and a host dependency. `podman image mount` may come in handy. Cool, let's go with that! Thanks @vrothberg...