You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The current overlay snapshotter will unpack each file & directory to overlayfs, which cause more metadata overhead and hard to track individual files integrity; Unexpected system crashes could cause layers inconsistently;
There is no way to protect files, directories as well as filesystem layer hierarchy, e.g. make the whole layer immutable, and
runtime data integrity protection;
As also mentioned in Parallel Container Layer Unpacking #8881, although the current ContainerD fetches layers in parallel, but unpacks them in a single thread layer by layer sequentially. But this relies on 'rebase' snapshotter interface.
Describe the solution you'd like
Introduce EROFS snapshotter and differ to tranform each OCI layer into EROFS format, so that each layer have only one file instead of massive files & directories, so that we could make the whole layer immutable, and enable runtime data integrity protection for these converted format;
Each layer can be tranformed in parallel rather than applying these layers one by one, and the 'rebase' snapshotter interface mentioned by Derek can be implemented smoothly.
EROFS layers can be merged into one read-only filesystem instance to mount. Its a better implementation of 'immutable container image' concept
What is the problem you're trying to solve
The current overlay snapshotter will unpack each file & directory to overlayfs, which cause more metadata overhead and hard to track individual files integrity; Unexpected system crashes could cause layers inconsistently;
There is no way to protect files, directories as well as filesystem layer hierarchy, e.g. make the whole layer immutable, and
runtime data integrity protection;
As also mentioned in Parallel Container Layer Unpacking #8881, although the current ContainerD fetches layers in parallel, but unpacks them in a single thread layer by layer sequentially. But this relies on 'rebase' snapshotter interface.
Describe the solution you'd like
Introduce EROFS snapshotter and differ to tranform each OCI layer into EROFS format, so that each layer have only one file instead of massive files & directories, so that we could make the whole layer immutable, and enable runtime data integrity protection for these converted format;
Each layer can be tranformed in parallel rather than applying these layers one by one, and the 'rebase' snapshotter interface mentioned by Derek can be implemented smoothly.
EROFS layers can be merged into one read-only filesystem instance to mount. Its a better implementation of 'immutable container image' concept
Additional context