ipfs: add support to pull images by ref

[wswsmao]

The solution for issue #1944 has been finalized, with the main design concepts outlined as follows:

1. IPNS
   IPNS provides the ipfs name publish and ipfs name resolve commands, which allow for associating a file with an IPNS name, enabling publishing and retrieval.
   For IPFS images, we can consider publishing the root descriptor file, allowing other nodes to resolve this file to pull the image. IPNS requires key management to control the publishing and resolution of IPNS names, with each key corresponding to a unique IPNS name.
   This characteristic is well-suited for associating with image references, ultimately establishing the following relationship:
   Image ref -> Key -> Root Descriptor -> Image File

2. Deterministic Keys
   Different nodes will share the same deterministic key algorithm to ensure that each node receives the same key for the same image name. This allows every node to pull and push images. Specifically:

   • ​Pull Phase​: The corresponding image ref can be resolved using just the public key ID.
   • ​Push Phase​: The private key must first be imported into the local IPFS. After uploading the image, the updated root descriptor file will be published.

Additional Notes
This submission is compatible with the existing method. During the push / pull phase, the input will be checked to determine if it is a ref. If users still prefer to use CID, this method will remain valid.

Feature Demonstration
On Node A:

./ctr-remote i ipfs-push --estargz=false docker.io/abushwang/oc9-busybox:org
or
./ctr-remote i ipfs-push --estargz=true docker.io/abushwang/oc9-busybox:esgz

On other nodes:

./ctr-remote i rpull --snapshotter=overlayfs --ipfs docker.io/abushwang/oc9-busybox:org
or
./ctr-remote i rpull --snapshotter=stargz --ipfs docker.io/abushwang/oc9-busybox:esgz

Other nodes can also rebuild docker.io/abushwang/oc9-busybox:org, and then run:

./ctr-remote i ipfs-push --estargz=false docker.io/abushwang/oc9-busybox:org

At this point, Node A can pull the updated image:

./ctr-remote i rpull --snapshotter=overlayfs --ipfs docker.io/abushwang/oc9-busybox:org

[AkihiroSuda]

Can we remove this dependency on "Decred" cryptocurrency to avoid potential confusion?

[wswsmao]

This might be a bit difficult. 'Decred' is introduced by the following two packages:

github.com/libp2p/go-libp2p/core/crypto
github.com/libp2p/go-libp2p/core/peer

These two packages are used to compute the public key and peer ID in IPFS.
The Kubo project also introduces 'Decred':
https://github.com/ipfs/kubo/blob/master/go.mod#L119

[AkihiroSuda]

Can we just exec the ipfs command for computing them?

[AkihiroSuda]

Actually we got a compliant about a dependency on a bitcoin-originated library in the past, although it was not for mining nor trading bitcoin

[AkihiroSuda]

• go.mod: add a comment about indirect dependency on github.com/btcsuite/btcd/btcec (NOT bitcoin daemon itself) nerdctl#1573

[wswsmao]

Let me think. Do you mean that in ipnskey.go's (g *DetKeyGen) generateKey(name string), after we obtain the seed bytes for the deterministic keys through reader.Read(seedBytes), we execute the IPFS command using an OS command (for example, exec.Command) to calculate the public key and peer ID?

[wswsmao]

Oh, actually, there's no need to use the IPFS command; we can just use the API. We can import the private key into IPFS and then use the list API to obtain the public key ID and peer ID. I'll update the PR.

[wswsmao]

done

[ktock]

This should be removed.

[wswsmao]

done
Refer to: #1968 (comment)

[ktock]

Is this tolerant to restart?

[wswsmao]

KeyStore has been removed now

[ktock]

needs docs

[wswsmao]

done, add doc to docs/ipfs.md

[ktock]

can you add a comment of link to ipfs api docs?

[wswsmao]

done

[ktock]

This shouldn't be imported to stargz snapshotter but should be done in ipfs daemon.

[wswsmao]

done
Refer to: #1968 (comment)

[wswsmao]

@AkihiroSuda @ktock
The PR has been updated with the following changes:

• Removed unnecessary dependencies: The generated key is now imported into IPFS, and the peer ID can be retrieved later using IPFS's list API, thus avoiding redundant dependencies.
• Since the peer ID and related information are stored in IPFS, there is no longer a need for the KeyStore hash table to record the ref and peer ID; this can be accomplished directly through the list API.
• Updated the docs/ipfs.md documentation.

[ktock]

Can you add integration tests?

[ktock]

why?

[wswsmao]

no need update to v0.4.1
done

[ktock]

can you add a comment of link to ipfs api docs?

[ktock]

needs explanation comments and link to docs

[wswsmao]

done

[wswsmao]

Hi, @ktock
The PR has been updated with the following changes:

• Add integration tests in script/integration/containerd/entrypoint.sh
• Add comments of link to ipfs api docs for package ipnskey, Resolve, Publish and importKey

[ktock]

Can we have docs about lifetime and republishing of contents?

[wswsmao]

done, https://github.com/containerd/stargz-snapshotter/pull/1968/files#diff-0625292be4242bc6994d3dfc768c9a02f37e1c43a59848e38d8464e3228c128fR174

[ktock]

Can't we use the gen API for this? https://docs.ipfs.tech/reference/kubo/rpc/#api-v0-key-gen

[ktock]

@wswsmao can you check this ^

[wswsmao]

oh, I got a little trouble, check done

[ktock]

So this sounds like all users on the IPFS network can get the private key of an image ref and update and sign the image. How can a user verify the image is updated by a trusted one, just like the default IPNS settings?

[wswsmao]

When using IPFS, we have configured a IPFS private network by default, where the nodes within this private network are considered trusted. Additionally, nodes outside of the private network, even if they obtain the private key, will not be able to publish or resolve image files.

[wswsmao]

all review done @ktock