feat: add rootfs view accessor and runtime boot binds

Introduce RootfsViewAccessor to create read-only containerd view snapshots
with leases and persist state in bundle config.json under
com.urunc.internal.rootfs.view. Bind kernel, initrd, and urunc.json from
the view in block rootfs after prepareRoot(), with legacy extract fallback.

Signed-off-by: sidneychang <2190206983@qq.com>

Author: sidneychang

pkg/containerd-shim/containerd/rootfs_view.go

@@ -0,0 +1,327 @@
+// Copyright (c) 2023-2026, Nubificus LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package containerd
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+
+	leasesapi "github.com/containerd/containerd/api/services/leases/v1"
+	snapshotsapi "github.com/containerd/containerd/api/services/snapshots/v1"
+	cntrtypes "github.com/containerd/containerd/api/types"
+	"github.com/containerd/containerd/errdefs"
+	"github.com/containerd/containerd/mount"
+	"github.com/sirupsen/logrus"
+	"github.com/urunc-dev/urunc/pkg/unikontainers"
+	"github.com/urunc-dev/urunc/pkg/unikontainers/types"
+	"google.golang.org/grpc/metadata"
+)
+
+const (
+	rootfsViewKeyPrefix   = "urunc-rootfs-view-"
+	rootfsViewLeasePrefix = "urunc-rootfs-view-lease-"
+	rootfsViewAnnotation  = "com.urunc.internal.rootfs.view"
+)
+
+var (
+	ErrRootfsViewNotPrepared = errors.New("rootfs view not prepared")
+	rootfsViewLog            = logrus.WithField("subsystem", "containerd-shim-rootfs-view")
+)
+
+type rootfsViewState struct {
+	Snapshotter string        `json:"snapshotter"`
+	Mounts      []mount.Mount `json:"mounts,omitempty"`
+}
+
+type RootfsViewAccessor struct {
+	namespace   string
+	containerID string
+	snapshotter string
+	snapshotKey string
+	snapshots   snapshotsapi.SnapshotsClient
+	leases      leasesapi.LeasesClient
+}
+
+func NewRootfsViewAccessor(s *Session) *RootfsViewAccessor {
+	a := &RootfsViewAccessor{
+		namespace:   s.namespace,
+		containerID: s.containerID,
+		snapshots:   s.snapshotsClient(),
+		leases:      s.leasesClient(),
+	}
+	ctr := s.GetContainer()
+	if ctr != nil && ctr.GetSnapshotKey() != "" {
+		a.snapshotter = ctr.GetSnapshotter()
+		a.snapshotKey = ctr.GetSnapshotKey()
+	}
+	return a
+}
+
+func (a *RootfsViewAccessor) viewKey() string {
+	return rootfsViewKeyPrefix + a.containerID
+}
+
+func (a *RootfsViewAccessor) leaseID() string {
+	return rootfsViewLeasePrefix + a.containerID
+}
+
+func (a *RootfsViewAccessor) ShouldPrepare(rootfs types.RootfsParams) bool {
+	if a == nil ||
+		a.snapshotter == "" ||
+		a.snapshotKey == "" ||
+		(a.snapshotter != "devmapper" && a.snapshotter != "blockfile") ||
+		rootfs.Type != "block" ||
+		rootfs.MountedPath == "" {
+		return false
+	}
+
+	uruncCfg, cfgErr := unikontainers.LoadUruncConfig(unikontainers.UruncConfigPath)
+	if cfgErr != nil {
+		rootfsViewLog.WithError(cfgErr).Warn("failed to load urunc config; rootfs view disabled")
+		return false
+	}
+	return uruncCfg.RootfsView.Enabled
+}
+
+// Prepare records a read-only view of the committed rootfs snapshot for runtime use.
+func (a *RootfsViewAccessor) Prepare(ctx context.Context, bundle string) error {
+	if a == nil {
+		return fmt.Errorf("rootfs view accessor is nil")
+	}
+
+	snapshotKey, err := a.resolveCommittedSnapshotBase(ctx, a.snapshotter, a.snapshotKey)
+	if err != nil {
+		return err
+	}
+
+	viewKey := a.viewKey()
+	leaseID := a.leaseID()
+
+	nsCtx := withNamespace(ctx, a.namespace)
+	if _, err := a.leases.Create(nsCtx, &leasesapi.CreateRequest{ID: leaseID}); err != nil {
+		err = containerdErr(err)
+		if err != nil && !errdefs.IsAlreadyExists(err) {
+			return fmt.Errorf("create rootfs view lease %s: %w", leaseID, err)
+		}
+	}
+
+	leaseCtx := metadata.AppendToOutgoingContext(nsCtx, "containerd-lease", leaseID)
+	mounts, err := a.createRootfsView(leaseCtx, viewKey, snapshotKey)
+	if err != nil {
+		if cleanupErr := cleanupRootfsViewLease(ctx, a.namespace, a.leaseID(), a.leases); cleanupErr != nil {
+			rootfsViewLog.WithError(cleanupErr).Warn("failed to clean up rootfs view lease after prepare failure")
+		}
+		return err
+	}
+
+	state := &rootfsViewState{
+		Snapshotter: a.snapshotter,
+		Mounts:      mounts,
+	}
+
+	encoded, err := json.Marshal(state)
+	if err != nil {
+		return fmt.Errorf("marshal rootfs view state: %w", err)
+	}
+	if err := unikontainers.PatchBundleRootfsView(bundle, string(encoded)); err != nil {
+		if cleanupErr := cleanupRootfsView(ctx, a.namespace, a.containerID, a.snapshotter, a.snapshots, a.leases); cleanupErr != nil {
+			rootfsViewLog.WithError(cleanupErr).Warn("failed to clean up rootfs view after state persistence failure")
+			return fmt.Errorf("persist rootfs view state: %w (cleanup also failed: %v)", err, cleanupErr)
+		}
+		return fmt.Errorf("persist rootfs view state: %w", err)
+	}
+
+	return nil
+}
+
+func (a *RootfsViewAccessor) Cleanup(ctx context.Context, snapshotter string) error {
+	if a == nil {
+		return fmt.Errorf("rootfs view accessor is nil")
+	}
+	if a.containerID == "" {
+		return fmt.Errorf("container id is empty")
+	}
+	if snapshotter == "" {
+		return fmt.Errorf("snapshotter is empty")
+	}
+	return cleanupRootfsView(ctx, a.namespace, a.containerID, snapshotter, a.snapshots, a.leases)
+}
+
+func (a *RootfsViewAccessor) CleanupFromBundle(ctx context.Context, bundle string) error {
+	if a == nil {
+		return fmt.Errorf("rootfs view accessor is nil")
+	}
+	snapshotter, err := GetSnapshotterFromBundle(bundle)
+	if err != nil {
+		if errors.Is(err, ErrRootfsViewNotPrepared) {
+			return nil
+		}
+		return err
+	}
+	return a.Cleanup(ctx, snapshotter)
+}
+
+func (a *RootfsViewAccessor) statSnapshot(ctx context.Context, snapshotter, key string) (parent string, committed bool, err error) {
+	resp, err := a.snapshots.Stat(withNamespace(ctx, a.namespace), &snapshotsapi.StatSnapshotRequest{
+		Snapshotter: snapshotter,
+		Key:         key,
+	})
+	if err = containerdErr(err); err != nil {
+		return "", false, err
+	}
+	info := resp.GetInfo()
+	if info == nil {
+		return "", false, fmt.Errorf("stat snapshot %s (%s): empty info", key, snapshotter)
+	}
+	return info.GetParent(), info.GetKind() == snapshotsapi.Kind_COMMITTED, nil
+}
+
+func (a *RootfsViewAccessor) resolveCommittedSnapshotBase(ctx context.Context, snapshotter, snapshotKey string) (string, error) {
+	parent, committed, err := a.statSnapshot(ctx, snapshotter, snapshotKey)
+	if err != nil {
+		return "", fmt.Errorf("stat snapshot %s (%s): %w", snapshotKey, snapshotter, err)
+	}
+	if committed {
+		return snapshotKey, nil
+	}
+	if parent == "" {
+		return snapshotKey, nil
+	}
+
+	current := parent
+	for {
+		parent, committed, err = a.statSnapshot(ctx, snapshotter, current)
+		if err != nil {
+			return "", fmt.Errorf("stat snapshot %s (%s parent walk): %w", current, snapshotter, err)
+		}
+		if committed {
+			return current, nil
+		}
+		if parent == "" {
+			return "", fmt.Errorf("%s snapshot %s has no committed parent in chain", snapshotter, snapshotKey)
+		}
+		current = parent
+	}
+}
+
+func (a *RootfsViewAccessor) createRootfsView(ctx context.Context, viewKey, parentKey string) ([]mount.Mount, error) {
+	nsCtx := withNamespace(ctx, a.namespace)
+	viewResp, err := a.snapshots.View(nsCtx, &snapshotsapi.ViewSnapshotRequest{
+		Snapshotter: a.snapshotter,
+		Key:         viewKey,
+		Parent:      parentKey,
+	})
+	if err = containerdErr(err); err == nil {
+		return protoMountsToMounts(viewResp.GetMounts()), nil
+	}
+	if !errdefs.IsAlreadyExists(err) {
+		return nil, fmt.Errorf("create rootfs view %s from %s: %w", viewKey, parentKey, err)
+	}
+
+	// Reuse an existing view left by a retry or partial prepare.
+	mountsResp, err := a.snapshots.Mounts(nsCtx, &snapshotsapi.MountsRequest{
+		Snapshotter: a.snapshotter,
+		Key:         viewKey,
+	})
+	if err = containerdErr(err); err != nil {
+		return nil, fmt.Errorf("create rootfs view %s from %s: %w", viewKey, parentKey, err)
+	}
+	return protoMountsToMounts(mountsResp.GetMounts()), nil
+}
+
+func protoMountsToMounts(mm []*cntrtypes.Mount) []mount.Mount {
+	out := make([]mount.Mount, len(mm))
+	for i, m := range mm {
+		out[i] = mount.Mount{
+			Type:    m.Type,
+			Source:  m.Source,
+			Target:  m.Target,
+			Options: m.Options,
+		}
+	}
+	return out
+}
+
+func GetSnapshotterFromBundle(bundle string) (string, error) {
+	raw, err := unikontainers.ReadBundleRootfsView(bundle)
+	if err != nil {
+		return "", err
+	}
+	if raw == "" {
+		return "", ErrRootfsViewNotPrepared
+	}
+	var state rootfsViewState
+	if err := json.Unmarshal([]byte(raw), &state); err != nil {
+		return "", fmt.Errorf("unmarshal rootfs view state %s: %w", rootfsViewAnnotation, err)
+	}
+	if state.Snapshotter == "" {
+		return "", ErrRootfsViewNotPrepared
+	}
+	return state.Snapshotter, nil
+}
+
+func ShouldCleanupRootfsView(bundle string) (bool, string, error) {
+	snapshotter, err := GetSnapshotterFromBundle(bundle)
+	if err != nil {
+		if errors.Is(err, ErrRootfsViewNotPrepared) {
+			return false, "", nil
+		}
+		return false, "", err
+	}
+	return true, snapshotter, nil
+}
+
+func cleanupRootfsView(
+	ctx context.Context,
+	namespace, containerID, snapshotter string,
+	snapshots snapshotsapi.SnapshotsClient,
+	leases leasesapi.LeasesClient,
+) error {
+	if containerID == "" || snapshotter == "" {
+		return nil
+	}
+	nsCtx := withNamespace(ctx, namespace)
+	_, err := snapshots.Remove(nsCtx, &snapshotsapi.RemoveSnapshotRequest{
+		Snapshotter: snapshotter,
+		Key:         rootfsViewKey(containerID),
+	})
+	if err = containerdErr(err); err != nil && !errdefs.IsNotFound(err) {
+		rootfsViewLog.WithError(err).Warn("failed to remove rootfs view from containerd")
+		return err
+	}
+	return cleanupRootfsViewLease(ctx, namespace, rootfsViewLeaseID(containerID), leases)
+}
+
+func cleanupRootfsViewLease(ctx context.Context, namespace, leaseID string, leases leasesapi.LeasesClient) error {
+	if leaseID == "" {
+		return nil
+	}
+	_, err := leases.Delete(withNamespace(ctx, namespace), &leasesapi.DeleteRequest{ID: leaseID})
+	if err = containerdErr(err); err != nil && !errdefs.IsNotFound(err) {
+		rootfsViewLog.WithError(err).Warn("failed to remove rootfs view lease from containerd")
+		return err
+	}
+	return nil
+}
+
+func rootfsViewKey(containerID string) string {
+	return rootfsViewKeyPrefix + containerID
+}
+
+func rootfsViewLeaseID(containerID string) string {
+	return rootfsViewLeasePrefix + containerID
+}

pkg/containerd-shim/containerd/session.go

@@ -158,12 +158,10 @@ func (s *Session) contentClient() contentapi.ContentClient {
 	return contentapi.NewContentClient(s.conn)
 }
 
-//nolint:unused // Used by follow-up feature-specific access constructors.
 func (s *Session) snapshotsClient() snapshotsapi.SnapshotsClient {
 	return snapshotsapi.NewSnapshotsClient(s.conn)
 }
 
-//nolint:unused // Used by follow-up feature-specific access constructors.
 func (s *Session) leasesClient() leasesapi.LeasesClient {
 	return leasesapi.NewLeasesClient(s.conn)
 }