docs(rootfs-view): document config and task flow

Signed-off-by: sidneychang <2190206983@qq.com>

Author: sidneychang

docs/configuration.md

@@ -38,6 +38,9 @@ default_vcpus = 1
 [extra_binaries.virtiofsd]
 path = "/usr/libexec/virtiofsd"
 options = "--sandbox none"
+
+[rootfs_view]
+enabled = false
 ```
 
 ## Configuration Sections
@@ -89,6 +92,36 @@ destination = "/tmp/urunc-timestamps.log"
 
 When enabled, `urunc` will log performance timestamps to help with debugging and optimization.
 
+### Rootfs View Configuration
+
+The `[rootfs_view]` section controls whether the urunc shim prepares a
+per-container containerd rootfs view at task Create (for `devmapper` /
+`blockfile` snapshotters). This is a **host-level** setting in
+`/etc/urunc/config.toml`, not an OCI bundle annotation.
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `enabled` | boolean | `false` | Prepare rootfs views for container block rootfs after shim task Create |
+
+When `enabled = true`, the shim first lets the wrapped task service create the
+task so the bundle rootfs is mounted. It then runs `ChooseRootfs` and prepares a
+view only if **all** of the following hold:
+
+1. The container snapshotter is block-based (`devmapper` or `blockfile`).
+2. Shim `ChooseRootfs` selected **container block rootfs** (`type=block` with a
+   non-empty `MountedPath`).
+
+This matches the block-rootfs boot-artifact path: kernel/initrd are read from a
+read-only view instead of being copied out of the container rootfs before attach.
+`com.urunc.unikernel.rootfsView` is not used for this gate.
+
+**Example:**
+
+```toml
+[rootfs_view]
+enabled = true
+```
+
 ### Monitor Configuration
 
 The `[monitors]` section allows you to configure default settings for different

docs/package/index.md

@@ -72,6 +72,15 @@ Except of the above, `urunc` accepts the following optional annotations:
 - `com.urunc.unikernel.mountRootfs`: A boolean value that if it is `true`,
   requests from `urunc` to mount the container's image rootfs in the unikernel
   (either as a block device or through shared-fs).
+- Per-container rootfs views are enabled in `/etc/urunc/config.toml`
+  (`[rootfs_view] enabled = true`), not via a bundle annotation. See
+  [configuration](../configuration.md#rootfs-view-configuration). When enabled,
+  the container must also use `com.urunc.unikernel.mountRootfs=true` (typically
+  from image annotations merged into `config.json` before shim task Create).
+  Supported snapshotters include `devmapper` and `blockfile`. After the wrapped
+  task service creates the task and mounts the bundle rootfs, the shim runs
+  `ChooseRootfs` and prepares a view only when that selection is container block
+  rootfs.
 
 Due to the fact that [Docker](https://www.docker.com/) and some high-level
 container runtimes do not pass the image annotations to the underlying container
@@ -80,6 +89,10 @@ container's rootfs. The file should be named `urunc.json`, it should be
 placed in the root directory of the container's rootfs and it should have a JSON
 format with the above information, where the values are base64 encoded.
 
+Enable rootfs views on the host with `[rootfs_view] enabled = true` in
+`/etc/urunc/config.toml`. The shim prepares a view after task Create when
+`ChooseRootfs` selects container block rootfs on a block snapshotter.
+
 ## Tools to construct OCI images with `urunc`'s annotations
 
 As previously mentioned we currently provide 2 different tools to build and