Description
When running with max_parallel_unpacks > 1, you will not honor whiteout files, meaning files deleted in later layers are present in the final overlayfs.
Steps to reproduce the issue
Kind of a wordy way of reproducing below, running the containerfile with the config makes it clear but I wanted to play around with the ctr commands :D
Here's a simple containerfile:
$ cat Containerfile
FROM fedora
RUN touch /this-will-be-deleted
RUN rm /this-will-be-deleted
CMD ["/bin/bash", "-c", "if [[ -e /this-will-be-deleted ]]; then exit 1; fi; exit 0"]
Here's a config.toml
$ cat /tmp/containerd.toml
root = "/tmp/containerd-test/root"
state = "/tmp/containerd-test/state"
[grpc]
address = "/tmp/containerd-test/containerd.sock"
[plugins]
[plugins.'io.containerd.transfer.v1.local']
max_concurrent_unpacks = 2
Here's the result pulling, running, and examining the outputs:
# sudo ctr -a /tmp/containerd-test/containerd.sock images pull docker.io/ajhalaney/whiteout:latest
docker.io/ajhalaney/whiteout:latest fetching image content
docker.io/ajhalaney/whiteout:latest fetching image content
docker.io/ajhalaney/whiteout:latest fetching image content
docker.io/ajhalaney/whiteout:latest fetching image content
docker.io/ajhalaney/whiteout:latest fetching image content
docker.io/ajhalaney/whiteout:latest fetching image content
docker.io/ajhalaney/whiteout:latest fetching image content
docker.io/ajhalaney/whiteout:latest fetching image content
docker.io/ajhalaney/whiteout:latest saved
└──manifest (0c0ddd905833) complete |++++++++++++++++++++++++++++++++++++++|
├──config (6b43f146ae7a) complete |++++++++++++++++++++++++++++++++++++++|
├──layer (6fedc8898b61) extracted |++++++++++++++++++++++++++++++++++++++|
├──layer (c08102457b12) extracted |++++++++++++++++++++++++++++++++++++++|
└──layer (f81a0d9bcd09) extracted |++++++++++++++++++++++++++++++++++++++|
application/vnd.oci.image.manifest.v1+json sha256:0c0ddd90583366057cb127a7b2026299f8cadda06a2a025b11222946480e7d7b
Completed pull from OCI Registry (docker.io/ajhalaney/whiteout:latest) elapsed: 3.7 s total: 58.0 M (15.5 MiB/s)
# sudo ctr -a /tmp/containerd-test/containerd.sock images ls
REF TYPE DIGEST SIZE PLATFORMS LABELS
docker.io/ajhalaney/whiteout:latest application/vnd.oci.image.manifest.v1+json sha256:0c0ddd90583366057cb127a7b2026299f8cadda06a2a025b11222946480e7d7b 58.0 MiB linux/amd64 -
# sudo ctr -a /tmp/containerd-test/containerd.sock snapshots --snapshotter overlayfs ls
KEY PARENT KIND
sha256:aa7b92b02603d4da7e30a20768f6e90f871f53c7d8fb008d2a98a35e12d25903 sha256:e95d9d0e6f87fd222a38defaf3ded0b7f009e2d2bed719ae89927a810ba25f75 Committed
sha256:e95d9d0e6f87fd222a38defaf3ded0b7f009e2d2bed719ae89927a810ba25f75 sha256:fbf251198d865bcc0302539eac8fc14533bce6e70eaa008da56576c9bd2c73ac Committed
sha256:fbf251198d865bcc0302539eac8fc14533bce6e70eaa008da56576c9bd2c73ac Committed
# sudo ./bin/ctr -a /tmp/containerd-test/containerd.sock snapshots --snapshotter overlayfs prepare test-active sha256:aa7b92b02603d4da7e30a20768f6e90f871f53c7d8fb008d2a98a35e12d25903
sudo ./bin/ctr -a /tmp/containerd-test/containerd.sock snapshots --snapshotter overlayfs mounts /tmp/pointless test-active
mount -t overlay overlay /tmp/pointless -o workdir=/tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/4/work,upperdir=/tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/4/fs,lowerdir=/tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/3/fs:/tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/2/fs:/tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/1/fs,index=off
# find /tmp/containerd-test/ -name this-will-be-deleted
/tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/2/fs/this-will-be-deleted
# ls -lah /tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/2/fs/this-will-be-deleted
-rw-r--r--. 1 root root 0 Mar 13 15:28 /tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/2/fs/this-will-be-deleted
# sudo ./bin/ctr -a /tmp/containerd-test/containerd.sock run --rm --snapshotter overlayfs docker.io/ajhalaney/whiteout:latest test
# echo $?
1
You'd expect to find a character device in layer 3 there to delete the file in overlayfs.
Describe the results you received and expected
Redoing the same thing (after cleanup), but with max_concurrent_unpacks = 1:
(skipping setup)
# find /tmp/containerd-test/ -name this-will-be-deleted
/tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/3/fs/this-will-be-deleted
/tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/2/fs/this-will-be-deleted
# ls -lah /tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/3/fs/this-will-be-deleted /tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/2/fs/this-will-be-deleted
-rw-r--r--. 1 root root 0 Mar 13 15:28 /tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/2/fs/this-will-be-deleted
c---------. 1 root root 0, 0 Mar 13 16:26 /tmp/containerd-test/root/io.containerd.snapshotter.v1.overlayfs/snapshots/3/fs/this-will-be-deleted
# sudo ./bin/ctr -a /tmp/containerd-test/containerd.sock run --rm --snapshotter overlayfs docker.io/ajhalaney/whiteout:latest test
# echo $?
0
That works great!
What version of containerd are you using?
v2.2.0-436-gb4848858e b484885
Any other relevant information
Show configuration if it is related to CRI plugin.
No response
Description
When running with max_parallel_unpacks > 1, you will not honor whiteout files, meaning files deleted in later layers are present in the final overlayfs.
Steps to reproduce the issue
Kind of a wordy way of reproducing below, running the containerfile with the config makes it clear but I wanted to play around with the
ctrcommands :DHere's a simple containerfile:
Here's a config.toml
Here's the result pulling, running, and examining the outputs:
You'd expect to find a character device in layer 3 there to delete the file in overlayfs.
Describe the results you received and expected
Redoing the same thing (after cleanup), but with
max_concurrent_unpacks = 1:That works great!
What version of containerd are you using?
v2.2.0-436-gb4848858e b484885
Any other relevant information
Show configuration if it is related to CRI plugin.
No response