feat(unikontainers): consume per-container snapshot views

Load shim-written snapshot view state from the bundle and mount the
read-only view when extracting boot artifacts for block-backed guests.

Bind kernel, initrd, and urunc.json from the prepared view into the
monitor rootfs, while keeping the existing block extraction path as the
fallback when no per-container view is available.

Add the snapshotView annotation to unikernel config parsing and log the
selected rootfs configuration for debugging.

Signed-off-by: sidneychang <2190206983@qq.com>

Author: sidneychang

pkg/unikontainers/block.go

@@ -16,6 +16,7 @@ package unikontainers
 
 import (
 	"bufio"
+	"context"
 	"errors"
 	"fmt"
 	"os"
@@ -120,6 +121,33 @@ func getMountInfo(path string) (types.BlockDevParams, error) {
 	return blockDev, nil
 }
 
+// bindBootArtifactsToMonRootfs bind-mounts boot files from an external
+// artifact root into the monitor rootfs without changing source permissions.
+func bindBootArtifactsToMonRootfs(artifactRoot, monRootfs, unikernelPath, initrdPath, uruncJSON string) ([]string, error) {
+	norm := func(p string) string { return strings.TrimPrefix(filepath.Clean(p), "/") }
+	files := []struct{ src, target string }{
+		{filepath.Join(artifactRoot, unikernelPath), norm(unikernelPath)},
+		{filepath.Join(artifactRoot, uruncJSON), norm(uruncJSON)},
+	}
+	if initrdPath != "" {
+		files = append(files, struct{ src, target string }{
+			filepath.Join(artifactRoot, initrdPath), norm(initrdPath),
+		})
+	}
+
+	targets := make([]string, 0, len(files))
+	for _, f := range files {
+		dstPath := filepath.Join(monRootfs, f.target)
+		dstDir := filepath.Dir(dstPath)
+		if err := bindMountFile(f.src, dstDir, dstPath, 0, unix.MS_BIND|unix.MS_PRIVATE, false); err != nil {
+			rollbackPerContainerViewTargets(targets)
+			return nil, fmt.Errorf("bind view %s -> monRootfs/%s: %w", f.src, f.target, err)
+		}
+		targets = append(targets, dstPath)
+	}
+	return targets, nil
+}
+
 // extractUnikernelFromBlock moves unikernel binary, initrd and urunc.json
 // files from old rootfsPath to newRootfsPath
 // FIXME: This approach fills up /run with unikernel binaries, initrds and urunc.json
@@ -148,7 +176,6 @@ func extractBootFiles(rootfsPath string, newRootfsPath string, unikernel string,
 	if err != nil {
 		return fmt.Errorf("Could not move %s to %s: %w", currentConfigPath, newRootfsPath, err)
 	}
-
 	return nil
 }
 
@@ -226,25 +253,49 @@ func getBlockVolumes(monRootfs string, mounts []specs.Mount, ukernel types.Unike
 }
 
 func (b blockRootfs) preSetup() error {
+	// Preserve main's propagation fix: consume boot artifacts and unmount the
+	// container rootfs before prepareRoot() makes the mount tree private/slave.
 	if b.mountedPath == "" {
 		return nil
 	}
 
-	err := copyMountfiles(b.mountedPath, b.mounts)
+	bundleDir := filepath.Dir(b.monRootfs)
+	var viewTargets []string
+	fromPerContainerView, err := tryRunOnPerContainerView(context.Background(), bundleDir, func(root string) error {
+		var bindErr error
+		viewTargets, bindErr = bindBootArtifactsToMonRootfs(root, b.monRootfs, b.kernelPath, b.initrdPath, b.uruncJSONPath)
+		return bindErr
+	})
 	if err != nil {
-		return fmt.Errorf("failed to copy files from mount list: %w", err)
+		uniklog.WithError(err).Warn("snapshot view unavailable; falling back to legacy boot file extraction")
+		fromPerContainerView = false
 	}
 
-	// FIXME: This approach fills up /run with unikernel binaries and
-	// urunc.json files for each unikernel instance we run
-	err = extractBootFiles(b.mountedPath, b.monRootfs, b.kernelPath, b.uruncJSONPath, b.initrdPath)
-	if err != nil {
-		return fmt.Errorf("failed to extract boot files from rootfs: %w", err)
+	if err := copyMountfiles(b.mountedPath, b.mounts); err != nil {
+		return fmt.Errorf("failed to copy files from mount list: %w", err)
 	}
 
-	err = mount.Unmount(b.mountedPath)
-	if err != nil {
-		return fmt.Errorf("failed to unmount rootfs: %w", err)
+	if fromPerContainerView {
+		if err := persistPerContainerViewMountsState(bundleDir, viewTargets); err != nil {
+			rollbackPerContainerViewTargets(viewTargets)
+			return err
+		}
+		if err := mount.Unmount(b.mountedPath); err != nil {
+			return fmt.Errorf("failed to unmount rootfs: %w", err)
+		}
+	} else {
+		if err := removePerContainerViewMountsState(bundleDir); err != nil {
+			return err
+		}
+		// FIXME: This approach fills up /run with unikernel binaries and
+		// urunc.json files for each unikernel instance we run
+		if err := extractBootFiles(b.mountedPath, b.monRootfs, b.kernelPath, b.uruncJSONPath, b.initrdPath); err != nil {
+			return fmt.Errorf("failed to extract boot files from rootfs: %w", err)
+		}
+
+		if err := mount.Unmount(b.mountedPath); err != nil {
+			return fmt.Errorf("failed to unmount rootfs: %w", err)
+		}
 	}
 
 	return nil

pkg/unikontainers/config.go

@@ -45,6 +45,7 @@ const (
 	annotBlock         = "com.urunc.unikernel.block"
 	annotBlockMntPoint = "com.urunc.unikernel.blkMntPoint"
 	annotMountRootfs   = "com.urunc.unikernel.mountRootfs"
+	annotSnapshotView  = "com.urunc.unikernel.snapshotView"
 )
 
 // A UnikernelConfig struct holds the info provided by bima image on how to execute our unikernel
@@ -58,6 +59,7 @@ type UnikernelConfig struct {
 	Block            string `json:"com.urunc.unikernel.block,omitempty"`
 	BlkMntPoint      string `json:"com.urunc.unikernel.blkMntPoint,omitempty"`
 	MountRootfs      string `json:"com.urunc.unikernel.mountRootfs"`
+	SnapshotView     string `json:"com.urunc.unikernel.snapshotView,omitempty"`
 }
 
 // validate checks if the mandatory configuration fields are present.
@@ -127,6 +129,7 @@ func getConfigFromSpec(spec *specs.Spec) *UnikernelConfig {
 	block := spec.Annotations[annotBlock]
 	blkMntPoint := spec.Annotations[annotBlockMntPoint]
 	MountRootfs := spec.Annotations[annotMountRootfs]
+	snapshotView := spec.Annotations[annotSnapshotView]
 	uniklog.WithFields(logrus.Fields{
 		"unikernelType":    tryDecode(unikernelType),
 		"unikernelVersion": tryDecode(unikernelVersion),
@@ -137,6 +140,7 @@ func getConfigFromSpec(spec *specs.Spec) *UnikernelConfig {
 		"block":            tryDecode(block),
 		"blkMntPoint":      tryDecode(blkMntPoint),
 		"mountRootfs":      tryDecode(MountRootfs),
+		"snapshotView":     tryDecode(snapshotView),
 	}).WithField("source", "spec").Debug("urunc annotations")
 
 	return &UnikernelConfig{
@@ -149,6 +153,7 @@ func getConfigFromSpec(spec *specs.Spec) *UnikernelConfig {
 		Block:            block,
 		BlkMntPoint:      blkMntPoint,
 		MountRootfs:      MountRootfs,
+		SnapshotView:     snapshotView,
 	}
 }
 
@@ -188,6 +193,7 @@ func getConfigFromJSON(jsonFilePath string) (*UnikernelConfig, error) {
 		"block":            tryDecode(conf.Block),
 		"blkMntPoint":      tryDecode(conf.BlkMntPoint),
 		"mountRootfs":      tryDecode(conf.MountRootfs),
+		"snapshotView":     tryDecode(conf.SnapshotView),
 	}).WithField("source", uruncJSONFilename).Debug("urunc annotations")
 
 	return &conf, nil

pkg/unikontainers/per_container_view.go

@@ -0,0 +1,216 @@
+// Copyright (c) 2023-2026, Nubificus LTD
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Per-container snapshot view: read-only mounts from shim-written urunc-view.json
+// (kernel, initrd, urunc.json bind-copied from image root). Mount descriptors are
+// persisted by the shim; this package does not dial containerd.
+
+package unikontainers
+
+import (
+	"context"
+	"encoding/json"
+	"errors"
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/containerd/containerd/mount"
+	"golang.org/x/sys/unix"
+)
+
+const (
+	perContainerViewStateFile       = "urunc-view.json"
+	perContainerViewMountsStateFile = "urunc-view-mounts.json"
+)
+
+var errPerContainerViewNotPrepared = errors.New("snapshot view not prepared")
+
+type perContainerViewState struct {
+	ViewKey     string        `json:"view_key"`
+	Snapshotter string        `json:"snapshotter"`
+	Namespace   string        `json:"namespace"`
+	Mounts      []mount.Mount `json:"mounts,omitempty"`
+}
+
+type perContainerViewMountsState struct {
+	Targets []string `json:"targets,omitempty"`
+}
+
+// tryRunOnPerContainerView loads shim-written per-container view metadata from
+// the bundle directory, mounts that snapshot view read-only on a temp
+// directory, runs fn with that mount root, then unmounts and removes the temp dir.
+//
+// If no view was prepared (missing state file), returns (false, nil) so the
+// caller can fall back to the legacy path.
+//
+// If state exists, returns (true, err) where err is from mounting, fn, or
+// unmount (unmount failure is returned only when fn succeeded).
+func tryRunOnPerContainerView(ctx context.Context, bundle string, fn func(mountRoot string) error) (ok bool, retErr error) {
+	_ = ctx // API stability for callers; mount uses host paths from shim-persisted state only.
+	state, err := loadPerContainerViewState(bundle)
+	if err != nil {
+		if errors.Is(err, errPerContainerViewNotPrepared) {
+			return false, nil
+		}
+		return false, err
+	}
+
+	mountpoint, err := mkTempSnapshotViewDir()
+	if err != nil {
+		return false, err
+	}
+	defer os.RemoveAll(mountpoint)
+
+	if err := mountPerContainerViewReadonly(state, mountpoint); err != nil {
+		return false, err
+	}
+	defer func() {
+		if uerr := unmountSnapshotViewTemp(mountpoint); uerr != nil {
+			if retErr == nil {
+				retErr = uerr
+				return
+			}
+			uniklog.WithError(uerr).WithField("path", mountpoint).Warn("failed to unmount temporary snapshot view mount")
+		}
+	}()
+
+	retErr = fn(mountpoint)
+	return true, retErr
+}
+
+func loadPerContainerViewState(bundle string) (*perContainerViewState, error) {
+	path := filepath.Join(bundle, perContainerViewStateFile)
+	data, err := os.ReadFile(path)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, errPerContainerViewNotPrepared
+		}
+		return nil, fmt.Errorf("read snapshot view state %s: %w", path, err)
+	}
+
+	var state perContainerViewState
+	if err := json.Unmarshal(data, &state); err != nil {
+		return nil, fmt.Errorf("unmarshal snapshot view state %s: %w", path, err)
+	}
+	return &state, nil
+}
+
+func mountPerContainerViewReadonly(state *perContainerViewState, target string) error {
+	if len(state.Mounts) == 0 {
+		return fmt.Errorf("snapshot view state %s has no mounts (recreate the container with an updated shim)", perContainerViewStateFile)
+	}
+
+	return mountReadonlySnapshotView(target, state.Mounts)
+}
+
+func mkTempSnapshotViewDir() (string, error) {
+	dir, err := os.MkdirTemp("", "urunc-snapshot-view-")
+	if err != nil {
+		return "", fmt.Errorf("create temporary snapshot view mountpoint: %w", err)
+	}
+	return dir, nil
+}
+
+func unmountSnapshotViewTemp(path string) error {
+	if err := mount.Unmount(path, 0); err != nil {
+		if os.IsNotExist(err) || err == unix.EINVAL {
+			return nil
+		}
+		uniklog.WithError(err).WithField("path", path).Warn("failed to unmount snapshot view")
+		return err
+	}
+	return nil
+}
+
+func mountReadonlySnapshotView(target string, mounts []mount.Mount) error {
+	if err := mount.All(mounts, target); err != nil {
+		return fmt.Errorf("mount snapshot view at %s for boot file bind: %w", target, err)
+	}
+
+	return nil
+}
+
+func persistPerContainerViewMountsState(bundle string, targets []string) error {
+	state := perContainerViewMountsState{Targets: targets}
+	data, err := json.Marshal(state)
+	if err != nil {
+		return fmt.Errorf("marshal snapshot view mount state: %w", err)
+	}
+
+	path := filepath.Join(bundle, perContainerViewMountsStateFile)
+	if err := os.WriteFile(path, data, 0o600); err != nil {
+		return fmt.Errorf("write snapshot view mount state %s: %w", path, err)
+	}
+
+	return nil
+}
+
+func loadPerContainerViewMountsState(bundle string) (*perContainerViewMountsState, error) {
+	path := filepath.Join(bundle, perContainerViewMountsStateFile)
+	data, err := os.ReadFile(path)
+	if err != nil {
+		if os.IsNotExist(err) {
+			return nil, nil
+		}
+		return nil, fmt.Errorf("read snapshot view mount state %s: %w", path, err)
+	}
+
+	var state perContainerViewMountsState
+	if err := json.Unmarshal(data, &state); err != nil {
+		return nil, fmt.Errorf("unmarshal snapshot view mount state %s: %w", path, err)
+	}
+
+	return &state, nil
+}
+
+func removePerContainerViewMountsState(bundle string) error {
+	path := filepath.Join(bundle, perContainerViewMountsStateFile)
+	if err := os.Remove(path); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("remove snapshot view mount state %s: %w", path, err)
+	}
+
+	return nil
+}
+
+func cleanupPerContainerViewMounts(bundle string) error {
+	state, err := loadPerContainerViewMountsState(bundle)
+	if err != nil || state == nil {
+		return err
+	}
+
+	for i := len(state.Targets) - 1; i >= 0; i-- {
+		target := filepath.Clean(state.Targets[i])
+		if err := unix.Unmount(target, unix.MNT_DETACH); err != nil {
+			if err == unix.EINVAL || err == unix.ENOENT || os.IsNotExist(err) {
+				continue
+			}
+			return fmt.Errorf("failed to unmount snapshot view target %s: %w", target, err)
+		}
+	}
+
+	return removePerContainerViewMountsState(bundle)
+}
+
+func rollbackPerContainerViewTargets(targets []string) {
+	for i := len(targets) - 1; i >= 0; i-- {
+		target := filepath.Clean(targets[i])
+		if err := unix.Unmount(target, unix.MNT_DETACH); err != nil {
+			if err == unix.EINVAL || err == unix.ENOENT || os.IsNotExist(err) {
+				continue
+			}
+			uniklog.WithError(err).WithField("target", target).Warn("failed to roll back snapshot view bind mount")
+		}
+	}
+}

pkg/unikontainers/unikontainers.go

@@ -725,6 +725,9 @@ func (u *Unikontainer) Delete() error {
 	// if the monitorRootfsDirName directory exists under the bundle.
 	_, err = os.Stat(monRootfs)
 	if !os.IsNotExist(err) {
+		if err := cleanupPerContainerViewMounts(bundleDir); err != nil {
+			uniklog.WithError(err).Warn("failed to cleanup snapshot view mounts during delete")
+		}
 		// Since there was no block defined for the unikernel
 		// and we created a new rootfs for the monitor, we need to
 		// clean it up.