Closes #1514

Codecov Report

Merging #1567 into master will not change coverage.
The diff coverage is n/a.

@@           Coverage Diff           @@
##           master    #1567   +/-   ##
=======================================
  Coverage   42.44%   42.44%           
=======================================
  Files          24       24           
  Lines        3362     3362           
=======================================
  Hits         1427     1427           
  Misses       1608     1608           
  Partials      327      327

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 7c9b0ea...c555df5. Read the comment docs.

@stevvooe So for us, during the start, we need to recover all ready images, to check whether a image is ready or not we need to:

1. Call this Check helper function to see whether all contents are ready;
2. Check top snapshot readiness with ChainID:
   a. If yes, image is ready;
   b. If not, unpack it.

Then we could be sure that the image is ready for use?

@Random-Liu Yes, this provides the check for the metadata content.

I think we should move the snapshotter preparation to the container rootfs creation stage, rather than using it to decide if an image is "Ready". If you move snapshot preparation to the image readiness size, it requires that the "image" is parameterized on which snapshot is use, which should really be a property of a given container.

Basically, Unpack should handle partials and successful return from Check should be enough to declare readiness.

I think we should move the snapshotter preparation to the container rootfs creation stage, rather than using it to decide if an image is "Ready".

Hm. Maybe I misunderstood something. Now when create container rootfs, we usually just use WithNewSnapshotter, which creates a writable layer on top of the parent (top) snapshot, right? It should assume that parent snapshot exists already.

If we don't check top snapshot for image readiness, does it mean that whenever we create container rootfs we should try to unpack the image?

@Random-Liu Well, that is the current behavior, but I am wondering if we should have WithNewSnapshotter go further to completely prepare the image. If that means doing the initial unpack, it might take longer the first time, but it would ensure that the system is always in the right state to run the container. Classically, this is done at pull time, but I think creation time has better behavioral properties, especially when operating in mixed-snapshotter scenarios.

Well, that is the current behavior, but I am wondering if we should have WithNewSnapshotter go further to completely prepare the image. If that means doing the initial unpack, it might take longer the first time, but it would ensure that the system is always in the right state to run the container. Classically, this is done at pull time, but I think creation time has better behavioral properties, especially when operating in mixed-snapshotter scenarios.

We could always add options to tell WithNewSnapshotter to do unpack, I'm totally fine with it. :) However, we may not be able to use it. If I understand correctly, unpack may take quite a long time:

1. In Kubernetes, we add timeout to different CRI operations to avoid operation stuck forever. The container creation timeout is much shorter than image pulling.
2. In Kubernetes, we schedule pod based on data locality including whether the image presents or not. This makes container creation time unpredictable even when Kubernetes see the image on the node.
3. I remember you said that content store may be remote or P2P based in the future, if I understand correctly Unpack may take even longer time in that case?

Anyway, containerd provided the API to check existence of top snapshot, so it's enough for us. :)

@Random-Liu I agree that those are good approaches where unpack is amortized into pull. However, in cases where the snapshotter isn't known until container start time, we move the unpack to container preparation/creation. For CRI-containerd, this is easy to just model as it is done in docker today, with unpack amortized into pull.

Does this concern stop this PR or would you like me to add a version of this that handles the snapshotter situation, as well?

I agree that those are good approaches where unpack is amortized into pull. However, in cases where the snapshotter isn't known until container start time, we move the unpack to container preparation/creation. For CRI-containerd, this is easy to just model as it is done in docker today, with unpack amortized into pull.

As long as it's still possible to unpack during Pull (keep current WithUnpack option), it's fine to us. :)

Does this concern stop this PR or would you like me to add a version of this that handles the snapshotter situation, as well?

If it's simply check top snapshot existence by chain ID, I think it's fine to do it ourselves in cri-containerd.

@Random-Liu The problem is that the snapshot may not exist. What does cri-containerd do in that situation?

@stevvooe If cri-containerd always does unpack during image pulling, non-exist snapshot should be rare case. I think when we find it during list/inspect/restart, we may just remove the reference and let next garbage collection handle it.

LGTM