Description of problem

The oc image extract command fails when extracting layers from container images that use zstd:chunked compression format. This also affects other tools that use the same code path, such as the rpms-signature-scan Konflux task.

Error message

error: unable to extract layer sha256:b4098303dead625adcb5a8cf710f4cd4b14c60ed4778e93ff1720d61c6860cdc from quay.io/opendatahub/odh-base-image-cpu-py312-c9s@sha256:a3db9be669fad791978381ff796fbe63bfcf2d3cf21130814b30b5b3bff466a2: archive/tar: invalid tar header

Root Cause Analysis

The zstd:chunked format embeds a Table of Contents (TOC) within zstd skippable frames in the compressed stream. This TOC contains metadata, SHA-256 checksums, and byte offsets for individual file chunks to enable lazy/partial pulling.

When oc image extract decompresses the zstd layer and passes it to Go's standard archive/tar library, the TOC metadata appears as unexpected content that the tar parser interprets as corrupted or invalid headers.

Key distinction: zstd:chunked is different from eStargz:

• eStargz: Uses gzip compression, appends TOC as a file entry in the tar archive (changes DiffID)
• zstd:chunked: Uses zstd compression, embeds TOC in zstd skippable frames (preserves DiffID)

Both formats break standard tar extraction when the consuming tool is not aware of the format.

Version-Release number of selected component

Affects current oc versions (tested with 4.18). The underlying issue is in the image layer extraction code that uses Go's archive/tar without zstd:chunked awareness.

How reproducible

100% - Always fails on zstd:chunked images.

Steps to Reproduce

1. Build or obtain a container image with zstd:chunked compression (using buildah push --compression-format zstd:chunked --force-compression)
2. Push to a registry (e.g., quay.io)
3. Attempt to extract the image:

   oc image extract quay.io/example/image:tag --path /some/path:/local/path
   

4. Observe the "archive/tar: invalid tar header" error

Actual results

Extraction fails with "archive/tar: invalid tar header" when processing zstd:chunked layers.

Expected results

oc image extract should either:

1. Support zstd:chunked format by understanding the TOC embedded in skippable frames, OR
2. Fall back to standard zstd decompression (which automatically skips the TOC frames) and extract the tar content correctly

Additional info

Related issues:

• STONEBLD-4276 - Konflux spike investigating zstd:chunked support
• konflux-ci/build-definitions#3188 - Upstream feature request

References:

• Pull container images faster with partial pulls - Dan Walsh & Giuseppe Scrivano
• containers/storage zstd-chunked docs
• Fedora zstd:chunked Change Proposal

Impact:
This blocks adoption of zstd:chunked compression for Red Hat product images, as tools like rpms-signature-scan use oc image extract and fail on these images. Large AI/ML images (8-15GB CUDA images) would significantly benefit from zstd:chunked's lazy pulling capabilities.