feats: support encrypting nydus data blobs

[taoohong]

support encrypting nydus data blobs

Related issue

[codecov]

Codecov Report

Merging #498 (3915fce) into main (3338db6) will decrease coverage by 0.02%.
The diff coverage is 0.00%.

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #498      +/-   ##
==========================================
- Coverage   37.91%   37.89%   -0.02%     
==========================================
  Files          60       60              
  Lines        7074     7077       +3     
==========================================
  Hits         2682     2682              
- Misses       4080     4083       +3     
  Partials      312      312              

Impacted Files	Coverage Δ
pkg/converter/tool/builder.go	0.00% <0.00%> (ø)
pkg/converter/tool/feature.go	89.85% <ø> (ø)

[sctb512]

LGTM

[taoohong]

I've add a test for encrypt since last commit in order to revole the code coverage problem. But it seems that the CI is not based on the latest nydus-image, causing the smoke unit test to fail. 😢 cc @changweige

[changweige]

I've add a test for encrypt since last commit in order to revole the code coverage problem. But it seems that the CI is not based on the latest nydus-image, causing the smoke unit test to fail. 😢 cc @changweige

I've add a test for encrypt since last commit in order to revole the code coverage problem. But it seems that the CI is not based on the latest nydus-image, causing the smoke unit test to fail. 😢 cc @changweige

Is there any plan for the next nydusd/nydus-image release with an image encryption feature?

[taoohong]

I've add a test for encrypt since last commit in order to revole the code coverage problem. But it seems that the CI is not based on the latest nydus-image, causing the smoke unit test to fail. 😢 cc @changweige

I've add a test for encrypt since last commit in order to revole the code coverage problem. But it seems that the CI is not based on the latest nydus-image, causing the smoke unit test to fail. 😢 cc @changweige

Is there any plan for the next nydusd/nydus-image release with an image encryption feature?

cc @jiangliu

[changweige]

Overall looks good to me. But for the sake of compatibility, we have to check if the underlying nydus toolchain meets our feature requirements in the function DetectFeatures. In this PR, the required feature would be --encrypt.

[changweige]

If there is no concrete plan for the next nydus-image release, we can move the CI test to another PR and just check if the underlying nydus-image has the feature --encrypt?

[taoohong]

just check if the underlying nydus-image has the feature --encrypt?

yes

If there is no concrete plan for the next nydus-image release, we can move the CI test to another PR and just check if the underlying nydus-image has the feature --encrypt?

codecov/patch would fail due to 0.00% of diff hit if I don't add the CI test. PR can still be merged even if this test failed?

[changweige]

just check if the underlying nydus-image has the feature --encrypt?

yes

If there is no concrete plan for the next nydus-image release, we can move the CI test to another PR and just check if the underlying nydus-image has the feature --encrypt?

codecov/patch would fail due to 0.00% of diff hit if I don't add the CI test. PR can still be merged even if this test failed?

In fact the result from codecov/patch is not a strong restriction, I can still press merge if it fails.

[changweige]

Should we detect if the required feature encrypt is supported by nydus-image? Seems we only define a constant here.

	requiredFeatures := tool.NewFeatures(tool.FeatureTar2Rafs)
	if opt.BatchSize != "" && opt.BatchSize != "0" {
		requiredFeatures.Add(tool.FeatureBatchSize)
	}

	detectedFeatures, err := tool.DetectFeatures(builderPath, required features, tool.GetHelp)
	if err != nil {
		return nil, err

[taoohong]

done

[changweige]

LGMT

[changweige]

Thanks