feat(shim): wire rootfs view into task lifecycle

Prepare a read-only rootfs view after guest rootfs choice on Create and
tear down containerd view resources on task Delete when the shim process
is still alive.

Signed-off-by: sidneychang <2190206983@qq.com>

Author: sidneychang

docs/configuration.md

@@ -102,6 +102,17 @@ per-container containerd rootfs view at task Create (for `devmapper` /
 |--------|------|---------|-------------|
 | `enabled` | boolean | `false` | Prepare rootfs views for container block rootfs after shim task Create |
 
+When `enabled = true`, the shim first lets the wrapped task service create the
+task so the bundle rootfs is mounted. It then runs `ChooseRootfs` and prepares a
+view only if **all** of the following hold:
+
+1. The container snapshotter is block-based (`devmapper` or `blockfile`).
+2. Shim `ChooseRootfs` selected **container block rootfs** (`type=block` with a
+   non-empty `MountedPath`).
+
+This matches the block-rootfs boot-artifact path: kernel/initrd are read from a
+read-only view instead of being copied out of the container rootfs before attach.
+
 **Example:**
 
 ```toml

docs/package/index.md

@@ -73,6 +73,16 @@ Except of the above, `urunc` accepts the following optional annotations:
   requests from `urunc` to mount the container's image rootfs in the unikernel
   (either as a block device or through shared-fs).
 
+Per-container rootfs views are controlled by `[rootfs_view] enabled` in
+`/etc/urunc/config.toml`. See
+[configuration](../configuration.md#rootfs-view-configuration). When enabled,
+the container must also use `com.urunc.unikernel.mountRootfs=true` (typically
+from image annotations merged into `config.json` before shim task Create).
+Supported snapshotters include `devmapper` and `blockfile`. After the wrapped
+task service creates the task and mounts the bundle rootfs, the shim runs
+`ChooseRootfs` and prepares a view only when that selection is container block
+rootfs.
+
 Due to the fact that [Docker](https://www.docker.com/) and some high-level
 container runtimes do not pass the image annotations to the underlying container
 runtime, `urunc` can also read the above information from a file inside the

pkg/containerd-shim/guest_rootfs.go

@@ -24,6 +24,7 @@ import (
 	taskAPI "github.com/containerd/containerd/api/runtime/task/v2"
 	specs "github.com/opencontainers/runtime-spec/specs-go"
 	"github.com/urunc-dev/urunc/pkg/unikontainers"
+	"github.com/urunc-dev/urunc/pkg/unikontainers/types"
 )
 
 const annotRootfsParams = "com.urunc.internal.rootfs.params"
@@ -33,35 +34,35 @@ var errGuestRootfsChoiceSkipped = errors.New("guest rootfs choice skipped")
 // chooseGuestRootfs runs the same ChooseRootfs logic as runtime Exec after inner
 // task Create (#684) and records the result in annotRootfsParams so Exec knows
 // selection already happened.
-func chooseGuestRootfs(r *taskAPI.CreateTaskRequest) error {
+func chooseGuestRootfs(r *taskAPI.CreateTaskRequest) (types.RootfsParams, error) {
 	configPath := filepath.Join(r.Bundle, "config.json")
 	info, err := os.Stat(configPath)
 	if err != nil {
-		return fmt.Errorf("stat config.json: %w", err)
+		return types.RootfsParams{}, fmt.Errorf("stat config.json: %w", err)
 	}
 
 	data, err := os.ReadFile(configPath)
 	if err != nil {
-		return fmt.Errorf("read config.json: %w", err)
+		return types.RootfsParams{}, fmt.Errorf("read config.json: %w", err)
 	}
 
 	var spec specs.Spec
 	if err := json.Unmarshal(data, &spec); err != nil {
-		return fmt.Errorf("unmarshal config.json: %w", err)
+		return types.RootfsParams{}, fmt.Errorf("unmarshal config.json: %w", err)
 	}
 	if spec.Root == nil {
-		return fmt.Errorf("invalid OCI spec: root section is required")
+		return types.RootfsParams{}, fmt.Errorf("invalid OCI spec: root section is required")
 	}
 
 	config, err := unikontainers.GetUnikernelConfig(filepath.Clean(r.Bundle), &spec)
 	if err != nil {
-		return fmt.Errorf("%w: %w", errGuestRootfsChoiceSkipped, err)
+		return types.RootfsParams{}, fmt.Errorf("%w: %w", errGuestRootfsChoiceSkipped, err)
 	}
 
 	annotations := config.Map()
 	uruncCfg, err := unikontainers.LoadUruncConfig(unikontainers.UruncConfigPath)
 	if err != nil && uruncCfg == nil {
-		return err
+		return types.RootfsParams{}, err
 	}
 
 	rootfsParams, err := unikontainers.ChooseRootfs(
@@ -71,12 +72,12 @@ func chooseGuestRootfs(r *taskAPI.CreateTaskRequest) error {
 		uruncCfg,
 	)
 	if err != nil {
-		return err
+		return types.RootfsParams{}, err
 	}
 
 	encoded, err := json.Marshal(rootfsParams)
 	if err != nil {
-		return err
+		return types.RootfsParams{}, err
 	}
 	if spec.Annotations == nil {
 		spec.Annotations = make(map[string]string)
@@ -85,8 +86,10 @@ func chooseGuestRootfs(r *taskAPI.CreateTaskRequest) error {
 
 	patched, err := json.MarshalIndent(spec, "", "  ")
 	if err != nil {
-		return fmt.Errorf("marshal config.json: %w", err)
+		return types.RootfsParams{}, fmt.Errorf("marshal config.json: %w", err)
 	}
-
-	return os.WriteFile(configPath, patched, info.Mode())
+	if err := os.WriteFile(configPath, patched, info.Mode()); err != nil {
+		return types.RootfsParams{}, err
+	}
+	return rootfsParams, nil
 }

pkg/containerd-shim/task_plugin.go

@@ -15,6 +15,9 @@
 package containerdshim
 
 import (
+	"os"
+	"path/filepath"
+
 	"github.com/containerd/containerd/pkg/shutdown"
 	"github.com/containerd/containerd/plugin"
 	runcTask "github.com/containerd/containerd/runtime/v2/runc/task"
@@ -45,9 +48,15 @@ func init() {
 				return nil, err
 			}
 
+			cwd, err := os.Getwd()
+			if err != nil {
+				return nil, err
+			}
+
 			return &taskService{
 				TaskService:       inner,
 				containerdAddress: ic.Address,
+				stateRoot:         filepath.Dir(filepath.Dir(cwd)),
 			}, nil
 		},
 	})

pkg/containerd-shim/task_service.go

@@ -17,8 +17,11 @@ package containerdshim
 import (
 	"context"
 	"errors"
+	"fmt"
+	"path/filepath"
 
 	taskAPI "github.com/containerd/containerd/api/runtime/task/v2"
+	"github.com/containerd/containerd/namespaces"
 	"github.com/containerd/log"
 	"github.com/containerd/ttrpc"
 	containerdShim "github.com/urunc-dev/urunc/pkg/containerd-shim/containerd"
@@ -31,6 +34,8 @@ type taskService struct {
 	taskAPI.TaskService
 
 	containerdAddress string
+	// Used on Delete, where cwd may no longer be the bundle.
+	stateRoot string
 }
 
 func (s *taskService) Create(ctx context.Context, r *taskAPI.CreateTaskRequest) (*taskAPI.CreateTaskResponse, error) {
@@ -53,9 +58,8 @@ func (s *taskService) Create(ctx context.Context, r *taskAPI.CreateTaskRequest)
 		return resp, err
 	}
 
-	// ChooseRootfs after inner task Create so bundle rootfs is mounted;
-	// params are persisted in bundle config.json for runtime Exec.
-	if err := chooseGuestRootfs(r); err != nil {
+	rootfsChoice, err := chooseGuestRootfs(r)
+	if err != nil {
 		if errors.Is(err, errGuestRootfsChoiceSkipped) {
 			log.G(ctx).WithError(err).Debug("urunc(shim): guest rootfs choice skipped")
 			return resp, nil
@@ -64,14 +68,92 @@ func (s *taskService) Create(ctx context.Context, r *taskAPI.CreateTaskRequest)
 		return nil, err
 	}
 
+	log.G(ctx).WithFields(map[string]any{
+		"rootfs_type": rootfsChoice.Type,
+		"rootfs_path": rootfsChoice.Path,
+		"mon_rootfs":  rootfsChoice.MonRootfs,
+	}).Debug("urunc(shim): guest rootfs chosen")
+
+	if session != nil {
+		rootfsViewAccessor := containerdShim.NewRootfsViewAccessor(session)
+		if rootfsViewAccessor.ShouldPrepare(rootfsChoice) {
+			if err := rootfsViewAccessor.Prepare(ctx, r.Bundle); err != nil {
+				log.G(ctx).WithError(err).Warn("urunc(shim): failed to prepare rootfs view; falling back to legacy boot artifact extraction")
+			} else {
+				log.G(ctx).Debug("urunc(shim): rootfs view prepared")
+			}
+		} else {
+			log.G(ctx).WithField("rootfs_type", rootfsChoice.Type).Debug("urunc(shim): rootfs view prepare skipped")
+		}
+	}
+
 	return resp, nil
 }
 
 func (s *taskService) Delete(ctx context.Context, r *taskAPI.DeleteRequest) (*taskAPI.DeleteResponse, error) {
-	return s.TaskService.Delete(ctx, r)
+	shouldCleanup := false
+	snapshotter := ""
+	var loadErr error
+
+	if r.ExecID == "" {
+		bundle, err := s.bundlePathFor(ctx, r.ID)
+		if err != nil {
+			log.G(ctx).WithError(err).Warn("urunc(shim): resolve bundle path during Delete failed")
+			loadErr = err
+		} else {
+			// Read view state before inner Delete; snapshotter is taken from bundle
+			// (written at Prepare) because container metadata may be gone after Delete.
+			shouldCleanup, snapshotter, loadErr = containerdShim.ShouldCleanupRootfsView(bundle)
+		}
+	}
+
+	// Delete tears down the monitor namespace before removing the view it may pin.
+	resp, err := s.TaskService.Delete(ctx, r)
+
+	if loadErr != nil {
+		if err != nil {
+			return resp, err
+		}
+		return resp, loadErr
+	}
+
+	if shouldCleanup {
+		session, sessionErr := containerdShim.OpenSession(ctx, s.containerdAddress, r.ID)
+		if sessionErr != nil {
+			log.G(ctx).WithError(sessionErr).Warn("urunc(shim): open containerd session for rootfs view cleanup failed")
+			if err == nil {
+				err = sessionErr
+			}
+		} else {
+			defer func() {
+				if err := session.Close(); err != nil {
+					log.G(ctx).WithError(err).Warn("urunc(shim): failed to close containerd session after rootfs view cleanup")
+				}
+			}()
+			if cleanupErr := containerdShim.NewRootfsViewAccessor(session).Cleanup(ctx, snapshotter); cleanupErr != nil {
+				log.G(ctx).WithError(cleanupErr).Warn("urunc(shim): delete rootfs view during Delete failed")
+				if err == nil {
+					err = cleanupErr
+				}
+			}
+		}
+	}
+
+	return resp, err
 }
 
 func (s *taskService) RegisterTTRPC(server *ttrpc.Server) error {
 	taskAPI.RegisterTaskService(server, s)
 	return nil
 }
+
+func (s *taskService) bundlePathFor(ctx context.Context, containerID string) (string, error) {
+	if s.stateRoot == "" {
+		return "", fmt.Errorf("task service state root is empty (shim cwd layout assumption violated)")
+	}
+	ns, err := namespaces.NamespaceRequired(ctx)
+	if err != nil {
+		return "", fmt.Errorf("namespace required: %w", err)
+	}
+	return filepath.Join(s.stateRoot, ns, containerID), nil
+}