@@ -1,6 +1,6 @@

 # the following lines are in sorted order, FYI

 github.com/Azure/go-ansiterm d6e3b3328b783f23731bc4d058875b0371ff8109

-github.com/Microsoft/hcsshim v0.7.3

+github.com/Microsoft/hcsshim v0.7.6

 github.com/Microsoft/go-winio v0.4.11

 github.com/docker/libtrust 9cbd2a1374f46905c68a4eb3694a130610adc62a

 github.com/go-check/check 4ed411733c5785b40214c70bce814c3a3a689609 https://github.com/cpuguy83/check.git

@@ -75,7 +75,7 @@ github.com/pborman/uuid v1.0

 google.golang.org/grpc v1.12.0

 # This does not need to match RUNC_COMMIT as it is used for helper packages but should be newer or equal

-github.com/opencontainers/runc 20aff4f0488c6d4b8df4d85b4f63f1f704c11abd

+github.com/opencontainers/runc 00dc70017d222b178a002ed30e9321b12647af2d

 github.com/opencontainers/runtime-spec eba862dc2470385a233c7507392675cbeadf7353 # v1.0.1-45-geba862d

 github.com/opencontainers/image-spec v1.0.1

 github.com/seccomp/libseccomp-golang 32f571b70023028bd57d9288c20efbcb237f3ce0

@@ -114,14 +114,15 @@ github.com/googleapis/gax-go v2.0.0

 google.golang.org/genproto 694d95ba50e67b2e363f3483057db5d4910c18f9

 # containerd

-github.com/containerd/containerd d97a907f7f781c0ab8340877d8e6b53cc7f1c2f6

+github.com/containerd/containerd 0c5f8f63c3368856c320ae8a1c125e703b73b51d # v1.2.0-rc.1

 github.com/containerd/fifo 3d5202aec260678c48179c56f40e6f38a095738c

-github.com/containerd/continuity f44b615e492bdfb371aae2f76ec694d9da1db537

+github.com/containerd/continuity bd77b46c8352f74eb12c85bdc01f4b90f69d66b4

 github.com/containerd/cgroups 5e610833b72089b37d0e615de9a92dfc043757c2

 github.com/containerd/console c12b1e7919c14469339a5d38f2f8ed9b64a9de23

+github.com/containerd/cri 9f39e3289533fc228c5e5fcac0a6dbdd60c6047b # release/1.2 branch

 github.com/containerd/go-runc 5a6d9f37cfa36b15efba46dc7ea349fa9b7143c3

 github.com/containerd/typeurl a93fcdb778cd272c6e9b3028b2f42d813e785d40

-github.com/containerd/ttrpc 94dde388801693c54f88a6596f713b51a8b30b2d

+github.com/containerd/ttrpc 2a805f71863501300ae1976d29f0454ae003e85a

 github.com/gogo/googleapis 08a7655d27152912db7aaf4f983275eaf8d128ef

 # cluster

@@ -6,6 +6,8 @@ import (

 // HNSEndpoint represents a network endpoint in HNS

 type HNSEndpoint = hns.HNSEndpoint

+// Namespace represents a Compartment.

+type Namespace = hns.Namespace

 //SystemType represents the type of the system on which actions are done

 type SystemType string

@@ -9,15 +9,15 @@ import (

 // the parent layer provided.

 func CreateLayer(path, parent string) error {

 	title := "hcsshim::CreateLayer "

-	logrus.Debugf(title+"Flavour %d ID %s parent %s", path, parent)

+	logrus.Debugf(title+"ID %s parent %s", path, parent)

 	err := createLayer(&stdDriverInfo, path, parent)

 	if err != nil {

-		err = hcserror.Errorf(err, title, "path=%s parent=%s flavour=%d", path, parent)

+		err = hcserror.Errorf(err, title, "path=%s parent=%s", path, parent)

 		logrus.Error(err)

 		return err

 	}

-	logrus.Debugf(title+" - succeeded path=%s parent=%s flavour=%d", path, parent)

+	logrus.Debugf(title+"- succeeded path=%s parent=%s", path, parent)

 	return nil

 }

@@ -443,7 +443,7 @@ type ContentClient interface {

 	// Only one active stream may exist at a time for each ref.

 	//

 	// Once a write stream has started, it may only write to a single ref, thus

-	// once a stream is started, the ref may be ommitted on subsequent writes.

+	// once a stream is started, the ref may be omitted on subsequent writes.

 	//

 	// For any write transaction represented by a ref, only a single write may

 	// be made to a given offset. If overlapping writes occur, it is an error.

@@ -658,7 +658,7 @@ type ContentServer interface {

 	// Only one active stream may exist at a time for each ref.

 	//

 	// Once a write stream has started, it may only write to a single ref, thus

-	// once a stream is started, the ref may be ommitted on subsequent writes.

+	// once a stream is started, the ref may be omitted on subsequent writes.

 	//

 	// For any write transaction represented by a ref, only a single write may

 	// be made to a given offset. If overlapping writes occur, it is an error.

@@ -55,7 +55,7 @@ service Content {

 	// Only one active stream may exist at a time for each ref.

 	//

 	// Once a write stream has started, it may only write to a single ref, thus

-	// once a stream is started, the ref may be ommitted on subsequent writes.

+	// once a stream is started, the ref may be omitted on subsequent writes.

 	//

 	// For any write transaction represented by a ref, only a single write may

 	// be made to a given offset. If overlapping writes occur, it is an error.

@@ -20,9 +20,15 @@ import (

 	"bufio"

 	"bytes"

 	"compress/gzip"

+	"context"

 	"fmt"

 	"io"

+	"os"

+	"os/exec"

+	"strconv"

 	"sync"

+

+	"github.com/containerd/containerd/log"

 )

 type (

@@ -37,6 +43,13 @@ const (

 	Gzip

 )

+const disablePigzEnv = "CONTAINERD_DISABLE_PIGZ"

+

+var (

+	initPigz   sync.Once

+	unpigzPath string

+)

+

 var (

 	bufioReader32KPool = &sync.Pool{

 		New: func() interface{} { return bufio.NewReaderSize(nil, 32*1024) },

@@ -79,6 +92,36 @@ func (w *writeCloserWrapper) Close() error {

 	return nil

 }

+type bufferedReader struct {

+	buf *bufio.Reader

+}

+

+func newBufferedReader(r io.Reader) *bufferedReader {

+	buf := bufioReader32KPool.Get().(*bufio.Reader)

+	buf.Reset(r)

+	return &bufferedReader{buf}

+}

+

+func (r *bufferedReader) Read(p []byte) (n int, err error) {

+	if r.buf == nil {

+		return 0, io.EOF

+	}

+	n, err = r.buf.Read(p)

+	if err == io.EOF {

+		r.buf.Reset(nil)

+		bufioReader32KPool.Put(r.buf)

+		r.buf = nil

+	}

+	return

+}

+

+func (r *bufferedReader) Peek(n int) ([]byte, error) {

+	if r.buf == nil {

+		return nil, io.EOF

+	}

+	return r.buf.Peek(n)

+}

+

 // DetectCompression detects the compression algorithm of the source.

 func DetectCompression(source []byte) Compression {

 	for compression, m := range map[Compression][]byte{

@@ -97,8 +140,7 @@ func DetectCompression(source []byte) Compression {

 // DecompressStream decompresses the archive and returns a ReaderCloser with the decompressed archive.

 func DecompressStream(archive io.Reader) (DecompressReadCloser, error) {

-	buf := bufioReader32KPool.Get().(*bufio.Reader)

-	buf.Reset(archive)

+	buf := newBufferedReader(archive)

 	bs, err := buf.Peek(10)

 	if err != nil && err != io.EOF {

 		// Note: we'll ignore any io.EOF error because there are some odd

@@ -110,22 +152,29 @@ func DecompressStream(archive io.Reader) (DecompressReadCloser, error) {

 		return nil, err

 	}

-	closer := func() error {

-		buf.Reset(nil)

-		bufioReader32KPool.Put(buf)

-		return nil

-	}

 	switch compression := DetectCompression(bs); compression {

 	case Uncompressed:

-		readBufWrapper := &readCloserWrapper{buf, compression, closer}

-		return readBufWrapper, nil

+		return &readCloserWrapper{

+			Reader:      buf,

+			compression: compression,

+		}, nil

 	case Gzip:

-		gzReader, err := gzip.NewReader(buf)

+		ctx, cancel := context.WithCancel(context.Background())

+		gzReader, err := gzipDecompress(ctx, buf)

 		if err != nil {

+			cancel()

 			return nil, err

 		}

-		readBufWrapper := &readCloserWrapper{gzReader, compression, closer}

-		return readBufWrapper, nil

+

+		return &readCloserWrapper{

+			Reader:      gzReader,

+			compression: compression,

+			closer: func() error {

+				cancel()

+				return gzReader.Close()

+			},

+		}, nil

+

 	default:

 		return nil, fmt.Errorf("unsupported compression format %s", (&compression).Extension())

 	}

@@ -151,3 +200,67 @@ func (compression *Compression) Extension() string {

 	}

 	return ""

 }

+

+func gzipDecompress(ctx context.Context, buf io.Reader) (io.ReadCloser, error) {

+	initPigz.Do(func() {

+		if unpigzPath = detectPigz(); unpigzPath != "" {

+			log.L.Debug("using pigz for decompression")

+		}

+	})

+

+	if unpigzPath == "" {

+		return gzip.NewReader(buf)

+	}

+

+	return cmdStream(exec.CommandContext(ctx, unpigzPath, "-d", "-c"), buf)

+}

+

+func cmdStream(cmd *exec.Cmd, in io.Reader) (io.ReadCloser, error) {

+	reader, writer := io.Pipe()

+

+	cmd.Stdin = in

+	cmd.Stdout = writer

+

+	var errBuf bytes.Buffer

+	cmd.Stderr = &errBuf

+

+	if err := cmd.Start(); err != nil {

+		return nil, err

+	}

+

+	go func() {

+		if err := cmd.Wait(); err != nil {

+			writer.CloseWithError(fmt.Errorf("%s: %s", err, errBuf.String()))

+		} else {

+			writer.Close()

+		}

+	}()

+

+	return reader, nil

+}

+

+func detectPigz() string {

+	path, err := exec.LookPath("unpigz")

+	if err != nil {

+		log.L.WithError(err).Debug("unpigz not found, falling back to go gzip")

+		return ""

+	}

+

+	// Check if pigz disabled via CONTAINERD_DISABLE_PIGZ env variable

+	value := os.Getenv(disablePigzEnv)

+	if value == "" {

+		return path

+	}

+

+	disable, err := strconv.ParseBool(value)

+	if err != nil {

+		log.L.WithError(err).Warnf("could not parse %s: %s", disablePigzEnv, value)

+		return path

+	}

+

+	if disable {

+		return ""

+	}

+

+	return path

+}

@@ -76,6 +76,23 @@ func WithContainerLabels(labels map[string]string) NewContainerOpts {

 	}

 }

+// WithImageStopSignal sets a well-known containerd label (StopSignalLabel)

+// on the container for storing the stop signal specified in the OCI image

+// config

+func WithImageStopSignal(image Image, defaultSignal string) NewContainerOpts {

+	return func(ctx context.Context, _ *Client, c *containers.Container) error {

+		if c.Labels == nil {

+			c.Labels = make(map[string]string)

+		}

+		stopSignal, err := GetOCIStopSignal(ctx, image, defaultSignal)

+		if err != nil {

+			return err

+		}

+		c.Labels[StopSignalLabel] = stopSignal

+		return nil

+	}

+}

+

 // WithSnapshotter sets the provided snapshotter for use by the container

 //

 // This option must appear before other snapshotter options to have an effect.

@@ -28,12 +28,12 @@ import (

 //

 // The resources specified in this object are used to create tasks from the container.

 type Container struct {

-	// ID uniquely identifies the container in a nameapace.

+	// ID uniquely identifies the container in a namespace.

 	//

 	// This property is required and cannot be changed after creation.

 	ID string

-	// Labels provide metadata extension for a contaienr.

+	// Labels provide metadata extension for a container.

 	//

 	// These are optional and fully mutable.

 	Labels map[string]string

@@ -70,7 +70,7 @@ func WriteBlob(ctx context.Context, cs Ingester, ref string, r io.Reader, desc o

 	cw, err := OpenWriter(ctx, cs, WithRef(ref), WithDescriptor(desc))

 	if err != nil {

 		if !errdefs.IsAlreadyExists(err) {

-			return err

+			return errors.Wrap(err, "failed to open writer")

 		}

 		return nil // all ready present

@@ -127,7 +127,7 @@ func OpenWriter(ctx context.Context, cs Ingester, opts ...WriterOpt) (Writer, er

 func Copy(ctx context.Context, cw Writer, r io.Reader, size int64, expected digest.Digest, opts ...Opt) error {

 	ws, err := cw.Status()

 	if err != nil {

-		return err

+		return errors.Wrap(err, "failed to get status")

 	}

 	if ws.Offset > 0 {

@@ -138,7 +138,7 @@ func Copy(ctx context.Context, cw Writer, r io.Reader, size int64, expected dige

 	}

 	if _, err := copyWithBuffer(cw, r); err != nil {

-		return err

+		return errors.Wrap(err, "failed to copy")

 	}

 	if err := cw.Commit(ctx, size, expected, opts...); err != nil {

@@ -57,7 +57,7 @@ func (rw *remoteWriter) Status() (content.Status, error) {

 		Action: contentapi.WriteActionStat,

 	})

 	if err != nil {

-		return content.Status{}, errors.Wrap(err, "error getting writer status")

+		return content.Status{}, errors.Wrap(errdefs.FromGRPC(err), "error getting writer status")

 	}

 	return content.Status{

@@ -82,7 +82,7 @@ func (rw *remoteWriter) Write(p []byte) (n int, err error) {

 		Data:   p,

 	})

 	if err != nil {

-		return 0, err

+		return 0, errors.Wrap(errdefs.FromGRPC(err), "failed to send write")

 	}

 	n = int(resp.Offset - offset)

@@ -112,7 +112,7 @@ func (rw *remoteWriter) Commit(ctx context.Context, size int64, expected digest.

 		Labels:   base.Labels,

 	})

 	if err != nil {

-		return errdefs.FromGRPC(err)

+		return errors.Wrap(errdefs.FromGRPC(err), "commit failed")

 	}

 	if size != 0 && resp.Offset != size {

@@ -22,6 +22,7 @@ import (

 	"github.com/containerd/containerd/images"

 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"

+	"github.com/pkg/errors"

 )

 type exportOpts struct {

@@ -51,7 +52,7 @@ func (c *Client) Export(ctx context.Context, exporter images.Exporter, desc ocis

 	}

 	pr, pw := io.Pipe()

 	go func() {

-		pw.CloseWithError(exporter.Export(ctx, c.ContentStore(), desc, pw))

+		pw.CloseWithError(errors.Wrap(exporter.Export(ctx, c.ContentStore(), desc, pw), "export failed"))

 	}()

 	return pr, nil

 }

@@ -37,6 +37,8 @@ type Image interface {

 	Name() string

 	// Target descriptor for the image content

 	Target() ocispec.Descriptor

+	// Labels of the image

+	Labels() map[string]string

 	// Unpack unpacks the image's content into a snapshot

 	Unpack(context.Context, string) error

 	// RootFS returns the unpacked diffids that make up images rootfs.

@@ -86,6 +88,10 @@ func (i *image) Target() ocispec.Descriptor {

 	return i.i.Target

 }

+func (i *image) Labels() map[string]string {

+	return i.i.Labels

+}

+

 func (i *image) RootFS(ctx context.Context) ([]digest.Digest, error) {

 	provider := i.client.ContentStore()

 	return i.i.RootFS(ctx, provider, i.platform)

new file mode 100644

@@ -0,0 +1,262 @@

+/*

+   Copyright The containerd Authors.

+

+   Licensed under the Apache License, Version 2.0 (the "License");

+   you may not use this file except in compliance with the License.

+   You may obtain a copy of the License at

+

+       http://www.apache.org/licenses/LICENSE-2.0

+

+   Unless required by applicable law or agreed to in writing, software

+   distributed under the License is distributed on an "AS IS" BASIS,

+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+   See the License for the specific language governing permissions and

+   limitations under the License.

+*/

+

+// Package archive provides a Docker and OCI compatible importer

+package archive

+

+import (

+	"archive/tar"

+	"bytes"

+	"context"

+	"encoding/json"

+	"io"

+	"io/ioutil"

+	"path"

+

+	"github.com/containerd/containerd/archive/compression"

+	"github.com/containerd/containerd/content"

+	"github.com/containerd/containerd/images"

+	"github.com/containerd/containerd/log"

+	digest "github.com/opencontainers/go-digest"

+	specs "github.com/opencontainers/image-spec/specs-go"

+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"

+	"github.com/pkg/errors"

+)

+

+// ImportIndex imports an index from a tar achive image bundle

+// - implements Docker v1.1, v1.2 and OCI v1.

+// - prefers OCI v1 when provided

+// - creates OCI index for Docker formats

+// - normalizes Docker references and adds as OCI ref name

+//      e.g. alpine:latest -> docker.io/library/alpine:latest

+// - existing OCI reference names are untouched

+// - TODO: support option to compress layers on ingest

+func ImportIndex(ctx context.Context, store content.Store, reader io.Reader) (ocispec.Descriptor, error) {

+	var (

+		tr = tar.NewReader(reader)

+

+		ociLayout ocispec.ImageLayout

+		mfsts     []struct {

+			Config   string

+			RepoTags []string

+			Layers   []string

+		}

+		symlinks = make(map[string]string)

+		blobs    = make(map[string]ocispec.Descriptor)

+	)

+	for {

+		hdr, err := tr.Next()

+		if err == io.EOF {

+			break

+		}

+		if err != nil {

+			return ocispec.Descriptor{}, err

+		}

+		if hdr.Typeflag == tar.TypeSymlink {

+			symlinks[hdr.Name] = path.Join(path.Dir(hdr.Name), hdr.Linkname)

+		}

+

+		if hdr.Typeflag != tar.TypeReg && hdr.Typeflag != tar.TypeRegA {

+			if hdr.Typeflag != tar.TypeDir {

+				log.G(ctx).WithField("file", hdr.Name).Debug("file type ignored")

+			}

+			continue

+		}

+

+		hdrName := path.Clean(hdr.Name)

+		if hdrName == ocispec.ImageLayoutFile {

+			if err = onUntarJSON(tr, &ociLayout); err != nil {

+				return ocispec.Descriptor{}, errors.Wrapf(err, "untar oci layout %q", hdr.Name)

+			}

+		} else if hdrName == "manifest.json" {

+			if err = onUntarJSON(tr, &mfsts); err != nil {

+				return ocispec.Descriptor{}, errors.Wrapf(err, "untar manifest %q", hdr.Name)

+			}

+		} else {

+			dgst, err := onUntarBlob(ctx, tr, store, hdr.Size, "tar-"+hdrName)

+			if err != nil {

+				return ocispec.Descriptor{}, errors.Wrapf(err, "failed to ingest %q", hdr.Name)

+			}

+

+			blobs[hdrName] = ocispec.Descriptor{

+				Digest: dgst,

+				Size:   hdr.Size,

+			}

+		}

+	}

+

+	// If OCI layout was given, interpret the tar as an OCI layout.

+	// When not provided, the layout of the tar will be interpretted

+	// as Docker v1.1 or v1.2.

+	if ociLayout.Version != "" {

+		if ociLayout.Version != ocispec.ImageLayoutVersion {

+			return ocispec.Descriptor{}, errors.Errorf("unsupported OCI version %s", ociLayout.Version)

+		}

+

+		idx, ok := blobs["index.json"]

+		if !ok {

+			return ocispec.Descriptor{}, errors.Errorf("missing index.json in OCI layout %s", ocispec.ImageLayoutVersion)

+		}

+

+		idx.MediaType = ocispec.MediaTypeImageIndex

+		return idx, nil

+	}

+

+	if mfsts == nil {

+		return ocispec.Descriptor{}, errors.Errorf("unrecognized image format")

+	}

+

+	for name, linkname := range symlinks {

+		desc, ok := blobs[linkname]

+		if !ok {

+			return ocispec.Descriptor{}, errors.Errorf("no target for symlink layer from %q to %q", name, linkname)

+		}

+		blobs[name] = desc

+	}

+

+	idx := ocispec.Index{

+		Versioned: specs.Versioned{

+			SchemaVersion: 2,

+		},

+	}

+	for _, mfst := range mfsts {

+		config, ok := blobs[mfst.Config]

+		if !ok {

+			return ocispec.Descriptor{}, errors.Errorf("image config %q not found", mfst.Config)

+		}

+		config.MediaType = ocispec.MediaTypeImageConfig

+

+		layers, err := resolveLayers(ctx, store, mfst.Layers, blobs)

+		if err != nil {

+			return ocispec.Descriptor{}, errors.Wrap(err, "failed to resolve layers")

+		}

+

+		manifest := ocispec.Manifest{

+			Versioned: specs.Versioned{

+				SchemaVersion: 2,

+			},

+			Config: config,

+			Layers: layers,

+		}

+

+		desc, err := writeManifest(ctx, store, manifest, ocispec.MediaTypeImageManifest)

+		if err != nil {

+			return ocispec.Descriptor{}, errors.Wrap(err, "write docker manifest")

+		}

+

+		platforms, err := images.Platforms(ctx, store, desc)

+		if err != nil {

+			return ocispec.Descriptor{}, errors.Wrap(err, "unable to resolve platform")

+		}

+		if len(platforms) > 0 {

+			// Only one platform can be resolved from non-index manifest,

+			// The platform can only come from the config included above,

+			// if the config has no platform it can be safely ommitted.

+			desc.Platform = &platforms[0]

+		}

+

+		if len(mfst.RepoTags) == 0 {

+			idx.Manifests = append(idx.Manifests, desc)

+		} else {

+			// Add descriptor per tag

+			for _, ref := range mfst.RepoTags {

+				mfstdesc := desc

+

+				normalized, err := normalizeReference(ref)

+				if err != nil {

+					return ocispec.Descriptor{}, err

+				}

+

+				mfstdesc.Annotations = map[string]string{

+					ocispec.AnnotationRefName: normalized,

+				}

+

+				idx.Manifests = append(idx.Manifests, mfstdesc)

+			}

+		}

+	}

+

+	return writeManifest(ctx, store, idx, ocispec.MediaTypeImageIndex)

+}

+

+func onUntarJSON(r io.Reader, j interface{}) error {

+	b, err := ioutil.ReadAll(r)

+	if err != nil {

+		return err

+	}

+	if err := json.Unmarshal(b, j); err != nil {

+		return err

+	}

+	return nil

+}

+

+func onUntarBlob(ctx context.Context, r io.Reader, store content.Ingester, size int64, ref string) (digest.Digest, error) {

+	dgstr := digest.Canonical.Digester()

+

+	if err := content.WriteBlob(ctx, store, ref, io.TeeReader(r, dgstr.Hash()), ocispec.Descriptor{Size: size}); err != nil {

+		return "", err

+	}

+

+	return dgstr.Digest(), nil

+}

+

+func resolveLayers(ctx context.Context, store content.Store, layerFiles []string, blobs map[string]ocispec.Descriptor) ([]ocispec.Descriptor, error) {

+	var layers []ocispec.Descriptor

+	for _, f := range layerFiles {

+		desc, ok := blobs[f]

+		if !ok {

+			return nil, errors.Errorf("layer %q not found", f)

+		}

+

+		// Open blob, resolve media type

+		ra, err := store.ReaderAt(ctx, desc)

+		if err != nil {

+			return nil, errors.Wrapf(err, "failed to open %q (%s)", f, desc.Digest)

+		}

+		s, err := compression.DecompressStream(content.NewReader(ra))

+		if err != nil {

+			return nil, errors.Wrapf(err, "failed to detect compression for %q", f)

+		}

+		if s.GetCompression() == compression.Uncompressed {

+			// TODO: Support compressing and writing back to content store

+			desc.MediaType = ocispec.MediaTypeImageLayer

+		} else {

+			desc.MediaType = ocispec.MediaTypeImageLayerGzip

+		}

+		s.Close()

+

+		layers = append(layers, desc)

+	}

+	return layers, nil

+}

+

+func writeManifest(ctx context.Context, cs content.Ingester, manifest interface{}, mediaType string) (ocispec.Descriptor, error) {

+	manifestBytes, err := json.Marshal(manifest)

+	if err != nil {

+		return ocispec.Descriptor{}, err

+	}

+

+	desc := ocispec.Descriptor{

+		MediaType: mediaType,

+		Digest:    digest.FromBytes(manifestBytes),

+		Size:      int64(len(manifestBytes)),

+	}

+	if err := content.WriteBlob(ctx, cs, "manifest-"+desc.Digest.String(), bytes.NewReader(manifestBytes), desc); err != nil {

+		return ocispec.Descriptor{}, err

+	}

+

+	return desc, nil

+}

new file mode 100644

@@ -0,0 +1,86 @@

+/*

+   Copyright The containerd Authors.

+

+   Licensed under the Apache License, Version 2.0 (the "License");

+   you may not use this file except in compliance with the License.

+   You may obtain a copy of the License at

+

+       http://www.apache.org/licenses/LICENSE-2.0

+

+   Unless required by applicable law or agreed to in writing, software

+   distributed under the License is distributed on an "AS IS" BASIS,

+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

+   See the License for the specific language governing permissions and

+   limitations under the License.

+*/

+

+package archive

+

+import (

+	"strings"

+

+	"github.com/containerd/cri/pkg/util"

+	digest "github.com/opencontainers/go-digest"

+	"github.com/pkg/errors"

+)

+

+// FilterRefPrefix restricts references to having the given image

+// prefix. Tag-only references will have the prefix prepended.

+func FilterRefPrefix(image string) func(string) string {

+	return refTranslator(image, true)

+}

+

+// AddRefPrefix prepends the given image prefix to tag-only references,

+// while leaving returning full references unmodified.

+func AddRefPrefix(image string) func(string) string {

+	return refTranslator(image, false)

+}

+

+// refTranslator creates a reference which only has a tag or verifies

+// a full reference.

+func refTranslator(image string, checkPrefix bool) func(string) string {

+	return func(ref string) string {

+		// Check if ref is full reference

+		if strings.ContainsAny(ref, "/:@") {

+			// If not prefixed, don't include image

+			if checkPrefix && !isImagePrefix(ref, image) {

+				return ""

+			}

+			return ref

+		}

+		return image + ":" + ref

+	}

+}

+

+func isImagePrefix(s, prefix string) bool {

+	if !strings.HasPrefix(s, prefix) {

+		return false

+	}

+	if len(s) > len(prefix) {

+		switch s[len(prefix)] {

+		case '/', ':', '@':

+			// Prevent matching partial namespaces

+		default:

+			return false

+		}

+	}

+	return true

+}

+

+func normalizeReference(ref string) (string, error) {

+	// TODO: Replace this function to not depend on reference package

+	normalized, err := util.NormalizeImageRef(ref)

+	if err != nil {

+		return "", errors.Wrapf(err, "normalize image ref %q", ref)

+	}

+

+	return normalized.String(), nil

+}

+

+// DigestTranslator creates a digest reference by adding the

+// digest to an image name

+func DigestTranslator(prefix string) func(digest.Digest) string {

+	return func(dgst digest.Digest) string {

+		return prefix + "@" + dgst.String()

+	}

+}

@@ -129,6 +129,13 @@ type platformManifest struct {

 // Manifest resolves a manifest from the image for the given platform.

 //

+// When a manifest descriptor inside of a manifest index does not have

+// a platform defined, the platform from the image config is considered.

+//

+// If the descriptor points to a non-index manifest, then the manifest is

+// unmarshalled and returned without considering the platform inside of the

+// config.

+//

 // TODO(stevvooe): This violates the current platform agnostic approach to this

 // package by returning a specific manifest type. We'll need to refactor this

 // to return a manifest descriptor or decide that we want to bring the API in

@@ -152,7 +159,7 @@ func Manifest(ctx context.Context, provider content.Provider, image ocispec.Desc

 				return nil, err

 			}

-			if platform != nil {

+			if desc.Digest != image.Digest && platform != nil {

 				if desc.Platform != nil && !platform.Match(*desc.Platform) {

 					return nil, nil

 				}

@@ -27,7 +27,7 @@ import (

 // Importer is the interface for image importer.

 type Importer interface {

 	// Import imports an image from a tar stream.

-	Import(ctx context.Context, store content.Store, reader io.Reader) ([]Image, error)

+	Import(ctx context.Context, store content.Store, reader io.Reader) (ocispec.Descriptor, error)

 }

 // Exporter is the interface for image exporter.

@@ -18,35 +18,61 @@ package containerd

 import (

 	"context"

+	"encoding/json"

 	"io"

+	"github.com/containerd/containerd/content"

 	"github.com/containerd/containerd/errdefs"

 	"github.com/containerd/containerd/images"

+	"github.com/containerd/containerd/images/archive"

+	digest "github.com/opencontainers/go-digest"

+	ocispec "github.com/opencontainers/image-spec/specs-go/v1"

 )

 type importOpts struct {

+	indexName string

+	imageRefT func(string) string

+	dgstRefT  func(digest.Digest) string

 }

 // ImportOpt allows the caller to specify import specific options

-type ImportOpt func(c *importOpts) error

+type ImportOpt func(*importOpts) error

+

+// WithImageRefTranslator is used to translate the index reference

+// to an image reference for the image store.

+func WithImageRefTranslator(f func(string) string) ImportOpt {

+	return func(c *importOpts) error {

+		c.imageRefT = f

+		return nil

+	}

+}

-func resolveImportOpt(opts ...ImportOpt) (importOpts, error) {

-	var iopts importOpts

-	for _, o := range opts {

-		if err := o(&iopts); err != nil {

-			return iopts, err

-		}

+// WithDigestRef is used to create digest images for each

+// manifest in the index.

+func WithDigestRef(f func(digest.Digest) string) ImportOpt {