Skip to content

Add dmverity support to erofs snapshotter using veritysetup cli#12457

Closed
aadhar-agarwal wants to merge 1 commit intocontainerd:mainfrom
aadhar-agarwal:aadagarwal/erofs-snapshotter-with-dmverity
Closed

Add dmverity support to erofs snapshotter using veritysetup cli#12457
aadhar-agarwal wants to merge 1 commit intocontainerd:mainfrom
aadhar-agarwal:aadagarwal/erofs-snapshotter-with-dmverity

Conversation

@aadhar-agarwal
Copy link
Copy Markdown
Contributor

@aadhar-agarwal aadhar-agarwal commented Nov 3, 2025
edited
Loading

Add dm-verity support for EROFS layers in containerd

This PR introduces block-level data integrity verification for EROFS container layers using device-mapper verity (dm-verity):

  • Uses the veritysetup CLI tool to create Merkle hash trees and dm-verity devices for EROFS blobs.
  • Adds new configuration: enable_dmverity = true for both snapshotter and differ plugins.
  • EROFS layers are formatted with a dm-verity hash tree; metadata is stored in layer.erofs.dmverity alongside the blob.
  • At runtime, each layer is mounted via a dm-verity device (read-only) and verified.
  • Mount options for dm-verity are passed via the mount manager and applied per layer.
  • Extensive tests cover formatting, mounting, idempotency, error cases, and end-to-end workflow.
  • Non-Linux environments gracefully handle unsupported dm-verity operations.

Note: When enabled, it requires a Linux kernel with dm-verity support and the dm_verity module loaded, and the veritysetup binary from cryptsetup

@github-project-automation github-project-automation Bot moved this to Needs Triage in Pull Request Review Nov 3, 2025
@aadhar-agarwal aadhar-agarwal mentioned this pull request Nov 3, 2025
Closed
@aadhar-agarwal aadhar-agarwal force-pushed the aadagarwal/erofs-snapshotter-with-dmverity branch 10 times, most recently from 9fd3c39 to 7de454c Compare November 11, 2025 02:03
@aadhar-agarwal aadhar-agarwal changed the title Add dmverity support to erofs snapshotter Add dmverity support to erofs snapshotter using veritysetup cli Nov 11, 2025
@aadhar-agarwal aadhar-agarwal mentioned this pull request Nov 11, 2025
Merged
@aadhar-agarwal aadhar-agarwal force-pushed the aadagarwal/erofs-snapshotter-with-dmverity branch from 7de454c to 3e3aff2 Compare November 12, 2025 19:29
@k8s-ci-robot
Copy link
Copy Markdown

k8s-ci-robot commented Dec 30, 2025

PR needs rebase.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@github-project-automation github-project-automation Bot moved this from Needs Triage to Done in Pull Request Review Jan 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

Assignees

No one assigned

Labels

do-not-merge/work-in-progress needs-rebase size/XXL

Projects

Pull Request Review
Archived in project

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aadhar-agarwal @k8s-ci-robot