urunc-dev · sidneychang · May 23, 2026 · May 23, 2026 · May 23, 2026 · May 23, 2026
diff --git a/cmd/containerd-shim-urunc-v2/main.go b/cmd/containerd-shim-urunc-v2/main.go
@@ -17,11 +17,11 @@ package main
 import (
 	"context"
 
-	"github.com/containerd/containerd/runtime/v2/runc/manager"
 	"github.com/containerd/containerd/runtime/v2/shim"
 	_ "github.com/urunc-dev/urunc/pkg/containerd-shim"
+	containerdshim "github.com/urunc-dev/urunc/pkg/containerd-shim"
 )
 
 func main() {
-	shim.RunManager(context.Background(), manager.NewShimManager("io.containerd.urunc.v2"))
+	shim.RunManager(context.Background(), containerdshim.NewShimManager("io.containerd.urunc.v2"))
 }
diff --git a/deployment/urunc-deploy/config.toml b/deployment/urunc-deploy/config.toml
@@ -7,6 +7,9 @@ syslog = false
 [timestamps]
 enabled = false
 
+[rootfs_view]
+enabled = false
+
 [monitors.qemu]
 default_memory_mb = 256
 default_vcpus = 1

diff --git a/docs/configuration.md b/docs/configuration.md
@@ -38,6 +38,9 @@ default_vcpus = 1
 [extra_binaries.virtiofsd]
 path = "/usr/libexec/virtiofsd"
 options = "--sandbox none"
+
+[rootfs_view]
+enabled = false
 ```
 
 ## Configuration Sections
@@ -89,6 +92,34 @@ destination = "/tmp/urunc-timestamps.log"
 
 When enabled, `urunc` will log performance timestamps to help with debugging and optimization.
 
+### Rootfs View Configuration
+
+The `[rootfs_view]` section controls whether the urunc shim prepares a
+per-container containerd rootfs view at task Create (for `devmapper` /
+`blockfile` snapshotters). 
+
+| Option | Type | Default | Description |
+|--------|------|---------|-------------|
+| `enabled` | boolean | `false` | Prepare rootfs views for container block rootfs after shim task Create |
+
+When `enabled = true`, the shim first lets the wrapped task service create the
+task so the bundle rootfs is mounted. It then runs `ChooseRootfs` and prepares a
+view only if **all** of the following hold:
+
+1. The container snapshotter is block-based (`devmapper` or `blockfile`).
+2. Shim `ChooseRootfs` selected **container block rootfs** (`type=block` with a
+   non-empty `MountedPath`).
+
+This matches the block-rootfs boot-artifact path: kernel/initrd are read from a
+read-only view instead of being copied out of the container rootfs before attach.
+
+**Example:**
+
+```toml
+[rootfs_view]
+enabled = true
+```
+
 ### Monitor Configuration
 
 The `[monitors]` section allows you to configure default settings for different
@@ -201,6 +232,9 @@ To create a configuration file, you can:
    [monitors.spt]
    default_memory_mb = 256
    default_vcpus = 1
+
+   [rootfs_view]
+   enabled = false
    EOF
    ```
 
@@ -244,6 +278,9 @@ default_vcpus = 1
 default_memory_mb = 256
 default_vcpus = 1
 # path is not set by default - urunc will search in PATH
+
+[rootfs_view]
+enabled = false
 ```
 
 ## Notes

diff --git a/docs/package/index.md b/docs/package/index.md
@@ -73,6 +73,16 @@ Except of the above, `urunc` accepts the following optional annotations:
   requests from `urunc` to mount the container's image rootfs in the unikernel
   (either as a block device or through shared-fs).
 
+Per-container rootfs views are controlled by `[rootfs_view] enabled` in
+`/etc/urunc/config.toml`. See
+[configuration](../configuration.md#rootfs-view-configuration). When enabled,
+the container must also use `com.urunc.unikernel.mountRootfs=true` (typically
+from image annotations merged into `config.json` before shim task Create).
+Supported snapshotters include `devmapper` and `blockfile`. After the wrapped
+task service creates the task and mounts the bundle rootfs, the shim runs
+`ChooseRootfs` and prepares a view only when that selection is container block
+rootfs.
+
 Due to the fact that [Docker](https://www.docker.com/) and some high-level
 container runtimes do not pass the image annotations to the underlying container
 runtime, `urunc` can also read the above information from a file inside the

diff --git a/pkg/containerd-shim/containerd/annotations.go b/pkg/containerd-shim/containerd/annotations.go
@@ -86,7 +86,7 @@ func InjectUruncAnnotations(ctx context.Context, session *Session, bundlePath st
 		return nil
 	}
 
-	return patchConfigJSON(bundlePath, annotations)
+	return PatchConfigJSON(bundlePath, annotations)
 }
 
 func (f *annotationFetcher) fetchUruncAnnotations(ctx context.Context) (map[string]string, error) {
@@ -152,12 +152,12 @@ func readBlob(ctx context.Context, namespace string, contentClient contentapi.Co
 	return raw, nil
 }
 
-// patchConfigJSON injects missing annotations into the OCI runtime spec
-// stored in the bundle's config.json.
+// PatchConfigJSON injects missing annotations into the OCI runtime spec stored in
+// the bundle's config.json.
 //
 // Existing annotations in config.json are preserved. Only annotation keys that
 // are not already present in the runtime spec are added.
-func patchConfigJSON(bundlePath string, annotations map[string]string) error {
+func PatchConfigJSON(bundlePath string, annotations map[string]string) error {
 	configPath := filepath.Join(bundlePath, "config.json")
 
 	fi, err := os.Stat(configPath)