[release/2.2] Unpack images with per-layer labels for runtime-specific snapshotters#12936
Merged
mxpv merged 1 commit intocontainerd:release/2.2from Mar 2, 2026
Merged
Conversation
…tters Remote/proxy snapshotters like nydus need per-layer annotations on each snapshot (cri.image-ref, cri.layer-digest, cri.manifest-digest, cri.image-layers) so they can lazily fetch content inside the guest VM. During a normal PullImage, these annotations are set by AppendInfoHandlerWrapper and flow through the core/unpack.Unpacker to each layer's Prepare/Commit call. However, when an image is already present for one snapshotter (e.g., overlayfs) and needs to be used with a different one (e.g., nydus for Kata), no pull occurs. The image must be unpacked into the target snapshotter with the correct per-layer labels. Replace the image.Unpack() fallback in customopts.WithNewSnapshot with unpackImage, which leverages the existing core/unpack.Unpacker and wraps the image handler with AppendInfoHandlerWrapper when snapshot annotations are enabled (!DisableSnapshotAnnotations). This reuses the same unpack machinery as PullImage, including retry handling, parallel layer support, and deduplication. Note: this is a manual backport of PR containerd#12835 (targeting main). On release/2.2, DisableSnapshotAnnotations lives on ImageConfig which is not embedded in criconfig.Config, so we expose it via a new DisableSnapshotAnnotations() method on the ImageService interface instead of accessing the config field directly. Signed-off-by: Fabiano Fidêncio <[email protected]>
fidencio
force-pushed
the
release-2.2/backport-12835
branch
from
1a7fdd7 to
a5f83d8
Compare
fidencio
changed the title
Member
Contributor
Author
Member
|
Need to clarify which release is the next LTS. |
Contributor
Author
|
Looking at the most recent updates on #12830, it seems the 2.3 will be the LTS. |
fuweid
approved these changes
Mar 2, 2026
Member
fuweid
left a comment
fuweid
left a comment
There was a problem hiding this comment.
The change looks good to me and seems like a bug fix.
It does change the ImageService interface, but ImageService is internal, so it shouldn’t impact end users.
One downside: it could make subsequent backports more difficult (or require adjustments).
ping @containerd/reviewers @containerd/committers to review whether this change is eligible for backport.
mxpv
approved these changes
Mar 2, 2026
github-project-automation
Bot
moved this from Needs Triage
to Review In Progress
in Pull Request Review
github-project-automation
Bot
moved this from Review In Progress
to Done
in Pull Request Review
samuelkarp
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Remote/proxy snapshotters like nydus need per-layer annotations on each snapshot (cri.image-ref, cri.layer-digest, cri.manifest-digest, cri.image-layers) so they can lazily fetch content inside the guest VM. During a normal PullImage, these annotations are set by AppendInfoHandlerWrapper and flow through the core/unpack.Unpacker to each layer's Prepare/Commit call.
However, when an image is already present for one snapshotter (e.g., overlayfs) and needs to be used with a different one (e.g., nydus for Kata), no pull occurs. The image must be unpacked into the target snapshotter with the correct per-layer labels.
Replace the image.Unpack() fallback in customopts.WithNewSnapshot with unpackImage, which leverages the existing core/unpack.Unpacker and wraps the image handler with AppendInfoHandlerWrapper when snapshot annotations are enabled (!DisableSnapshotAnnotations). This reuses the same unpack machinery as PullImage, including retry handling, parallel layer support, and deduplication.
Note: this is a manual backport of PR #12835 (targeting main). On release/2.2, DisableSnapshotAnnotations lives on ImageConfig which is not embedded in criconfig.Config, so we expose it via a new DisableSnapshotAnnotations() method on the ImageService interface instead of accessing the config field directly.