LFx Mentorship (urunc Optimize rootfs handling with block-based snapshotters)

[cmainas]

Mentorship plan: Optimize rootfs handling with block-based snapshotters

This discussion outlines the proposed plan as discussed with @sidneychang for the CNCF mentorship project "Optimize rootfs handling with block-based snapshotters" for urunc.

The plan is structured into three phases. Each phase has clear goals and specific outcomes, along with suggested tasks and sub-tasks to help guide the work. The listed sub-tasks are meant as guidance and reference points, they are not strict requirements. The exact order of tasks within each phase can be adjusted as long as the main outcomes are achieved.

Phase 1

The goal of Phase 1 is to build the necessary background and get familiar with containerd and its snapshotters. This phase is expected to last up to 3 weeks (02/03/2026 – 22/03/2026). During this time, the focus will be on understanding contianerd, the various snapshotters, and getting familiar with snapshots.

Tentative tasks and sub-tasks

• Theoretical background (containerd):
  • Study containerd architecture (core, shim, plugins, etc.)
  • Explore the workflow in containerd to setup a container and its rootfs
  • Identify which components are used to create the environment for the container environment setup and what each component does
• Theoretical background (snapshotters):
  • Study how containerd makes use of the snapshotters to create the rootfs
  • Understand the minimum capabilities a snapshotter must implement
  • Explore the technologies behind the snapshotters and how they are used to implement the operations that containerd requested (focus mostly on block-based ones).
• Hands on with containerd's API for snapshotters:
  • Using the ctr command play around with the snapshotters creating various snapshots and validating the theoretical background
  • Explore the API that ctr uses to communicate with containerd and perform the snapshot operations
  • Create a small client that communicates with containerd and sets up snapshots for the container's rootfs

Outcomes

Deadline: Completed no later than 22/03/2026 (AoE).
Description: A report with:

• the theoretical background of containerd's architecture with the workflow for the container creation and snaphotters
• the findings from the hands on exploration with the ctr tool and API
• the client that uses containerd's API to manage snapshots
• a report summarizing all the work

Phase 2

The goal of Phase 2 is to apply the knowledge gained in Phase 1 to urunc and begin implementing the use of view snapshots for obtaining the required boot files for the monitors. This phase is expected to last up to 5 weeks (23/03/2026 – 03/05/2026). During this time, the focus will shift to the practical implementation within urunc.

Tentative tasks and sub-tasks

• Getting familiar with urunc:
  • Set up an environment with urunc
  • Execute existing images with urunc
  • Build custom images with bunny and execute them with urunc
  • Understand the workflow to prepare the container's rootfs as the rootfs for the sandbox
• Create a Proof of Concept
  • Identify which parts of urunc should change to communicate with containerd
  • Create a high level overview of the required changes and how the new snapshots will get created
  • Begin the implementation in a branch with the rough changes that resolve the issue.
• Upstream the necessary changes:
  • Form the PoC from rough patches to a series of commits that can be merged.
  • Open PR and iterate over the necessary changes to merge it.
• Enhancing with further tests:
  • Provide the necessary testing for the new changes adding unit and integration tests
  • Create end to end tests to verify the correctness of the solution

Outcomes:

Deadline: Completed no later than 02/05/2026 (AoE).
Description: The following items:

1. A report with the high level overview of the changes, the implementation plan and a PoC
2. First PRs to support the view snapshots

Phase 3

The goal of Phase 3 is to finalize and polish the integration of view snapshots for obtaining the necessary boot files for the monitors.
This phase will also include an evaluation to demonstrate the benefits of the new approach (view snapshots) compared to the previous method (mounting and copying files). This phase is expected to last up to 4 weeks (04/05/2026 – 28/05/2026), with an emphasis on refinement, validation, and broader ecosystem exploration. During this period, the focus will be on refining the implementation, validating the design decisions through evaluation, and exploring related approaches in other high level runtimes.

Tentative tasks and sub-tasks

• Finish up the support of view snapshots:
  • Merge all necessary PRs for the support of view snapshots
  • Finish up with unit, integration and e2e tests.
• Evaluation:
  • Measure the execution time eith the view snapshots vs the old approach of (copying)
  • Measure the storage overhead of each approach
• Expanding the current support:
  • Explore how other runtimes (e.g. CRI-O and podman) setup the rootfs for the containerd
  • Explore how urunc can perform the same setup steps for block-based rootfs in other runtimes
  • Analyze the necessary changes to follow a similar approach with containerd for the other runtimes

Outcomes:

Deadline:: Completed no later than 29/05/2026 (AoE).
Description: The following items:

1. Merge all PRs with the support, testing etc.
2. A report with the:
   • evaluation results
   • findings from the exploration with the other runtimes

[cmainas]

Hello @sidneychang , please take a look of the above plan as discussed earlier and let me know if I missed anything or for any mistakes.

[sidneychang]

The following content captures my current understanding and findings from this week's exploration of containerd, rootfs setup, and snapshotters. It may still contain incomplete sections or inaccuracies, and I will continue improving and refining it as I explore the topic further.

1. Overall Architecture and Container rootfs Construction Workflow

• Positioning and Core Components

  • containerd sits between upper layers (Docker, kubelet, etc.) and lower‑level OCI runtimes (such as runc):
    • Content Store: stores image layers and other blobs using content hashes;
    • Snapshotter: builds mountable snapshots (overlayfs, btrfs, zfs, devmapper, etc.) based on layers in the Content Store;
    • Image Service: combines manifest/config/layers into the “image” abstraction and supports Pull/Push/Unpack;
    • Container Service: manages container objects (ID, rootfs snapshot name, OCI spec, runtime type, etc.);
    • Task Service: creates, starts, and stops tasks based on container objects and rootfs;
    • Shim + Runtime: the shim process and an OCI runtime (such as runc) jointly create and run the actual container process.

• Typical Workflow (From Image to Task)

A typical example appears in docs/features.md:

// 1. Pull the image and unpack it into the snapshotter
image, err := client.Pull(context, "docker.io/library/redis:latest", containerd.WithPullUnpack)

// 2. Allocate a rootfs and OCI spec for the container based on the image
redis, err := client.NewContainer(context, "redis-master",
	containerd.WithNewSnapshot("redis-rootfs", image),
	containerd.WithNewSpec(oci.WithImageConfig(image)),
)

// 3. Turn the container object into a runnable task
task, err := redis.NewTask(context, cio.NewCreator(cio.WithStdio))
defer task.Delete(context)

pid := task.Pid()
err = task.Start(context)
status, err := task.Wait(context)

This workflow can be abstracted as:

1. Pull + Unpack: store image layers in the Content Store and unpack them into a chain of read‑only snapshots through the snapshotter;
2. Container object: records the rootfs snapshot name and the complete OCI spec;
3. Task creation: Task Service + shim/runtime transform the container + rootfs into a runnable process;
4. Start / Wait / Delete: manage the lifecycle of the task.

---

2. rootfs Preparation and the Role of Snapshotter

2.1 InitRootFS: From Snapshot to rootfs

In pkg/rootfs/init.go, InitRootFS is the key entry point for rootfs initialization:

// InitRootFS initializes the snapshot for use as a rootfs
func InitRootFS(ctx context.Context, name string, parent digest.Digest, readonly bool, snapshotter snapshots.Snapshotter, mounter Mounter) ([]mount.Mount, error) {
	_, err := snapshotter.Stat(ctx, name)
	if err == nil {
		return nil, errors.New("rootfs already exists")
	}

	parentS := parent.String()

	initName := defaultInitializer
	initFn := initializers[initName]
	if initFn != nil {
		parentS, err = createInitLayer(ctx, parentS, initName, initFn, snapshotter, mounter)
		if err != nil {
			return nil, err
		}
	}

	if readonly {
		return snapshotter.View(ctx, name, parentS)
	}

	return snapshotter.Prepare(ctx, name, parentS)
}

Key points:

• parent is usually the top snapshot (or its digest) of the image rootfs;
• In read‑only scenarios, View is called to create a snapshot view that can be shared by multiple containers;
• In read‑write scenarios, Prepare is called to create an active snapshot used as the container’s writable layer;
• The return type is []mount.Mount, meaning a set of mount descriptions;
• Each mount.Mount includes Type (filesystem type), Source (device or directory), Target (mount point), and Options;
• InitRootFS itself does not perform the final mount of rootfs. It only returns a description of how rootfs should be mounted. The actual mount occurs later in the Task/shim stage.

2.2 Task and Shim: How rootfs Is Actually Used

• In the Task gRPC interface (api/services/tasks/v1/tasks.proto), the CreateTaskRequest.rootfs field is used to pass the pre‑chroot mount list;
• Task Service assembles container metadata (including OCI spec and runtime configuration) together with CreateTaskRequest.rootfs into runtime.CreateOpts;
• runtime v2 starts a shim, which then:
  • mounts the rootfs according to the mount.Mount list;
  • invokes the OCI runtime (runc) to execute the container process;
  • handles I/O forwarding and state reporting.

Thus, the snapshotter provides a mountable rootfs description, while the actual mounting and execution are performed by shim/runtime.

2.3 End‑to‑End rootfs Lifecycle

2.3 End-to-End Rootfs Flow (From Image to Process)

By connecting the pieces described above, we can derive a more complete lifecycle of the rootfs:

1. Pull + Unpack: Build the image snapshot chain

• client.Pull(..., containerd.WithPullUnpack): the Image Service stores the image layer blobs in the Content Store;
• the snapshotter creates a chain of read-only committed snapshots based on the layers (usually named by each layer’s diffID / chainID).

2. Determine the parent: choose the root snapshot

• For a given image, image.RootFS() together with identity.ChainID(...) is used to obtain the top-level chainID, which serves as the parent snapshot of the rootfs (i.e., the parent mentioned above).

3. Allocate a rootfs snapshot for a specific container

• Writable container: call Prepare (e.g., WithNewSnapshot or InitRootFS(..., readonly=false, ...)) to obtain an active snapshot key and the corresponding []mount.Mount;
• Read-only container: call View (e.g., WithNewSnapshotView or InitRootFS(..., readonly=true, ...)) to obtain a read-only view key and []mount.Mount;
• At this step, the snapshot is only registered in the snapshotter metadata and a mount description is returned; it has not yet been mounted to any directory.

4. Create the Container object: record rootfs information

• The Container Service creates a containers.Container entry that records:

  • the snapshotter name and the SnapshotKey (the key from the previous step);
  • the OCI spec related to the image or workload (including the rootfs path, whether it is read-only, etc.).

5. Create the Task: rootfs mount information enters the Task Service

• When container.NewTask(...) is called, the Task Service will:

  • retrieve the rootfs []mount.Mount from the snapshotter (or directly use the mount description passed from the previous step);
  • place it into CreateTaskRequest.rootfs, and send it together with the OCI spec and runtime name to the shim/runtime.

6. shim/runtime stage: perform the actual rootfs mount and start the process

• After the shim receives CreateTaskRequest, inside the container bundle directory it will:

  • execute mounts one by one according to rootfs []mount.Mount (usually mounting to bundle/rootfs);
  • invoke the OCI runtime (such as runc create / runc start), where the runtime performs pivot_root or chroot on this rootfs and finally starts the container process.

7. Cleanup and reclamation

• When the Task is deleted, the shim is responsible for unmounting the rootfs and related mount points;

• At the upper layer, depending on policy:

  • an active snapshot may call Commit (to produce a new image layer) or Remove (discard it directly);
  • a View snapshot is usually removed directly when no longer needed, while the actual reclamation of underlying resources is handled by GC/lease/label mechanisms.

This shows clearly how the rootfs evolves from “a chain of committed snapshots built from image layers” into “the / filesystem seen by the container process.” In between, the main steps are: snapshotter (Prepare/View) → Container/Task Service (assemble rootfs mount descriptions) → shim/runtime (perform the actual mount and pivot_root).

---

3. Snapshotter Abstraction and Minimal Capabilities

3.1 Snapshotter Interface and Lifecycle

The unified snapshotter interface is defined in core/snapshots/snapshotter.go:

type Snapshotter interface {
        Stat(ctx context.Context, key string) (Info, error)
        Update(ctx context.Context, info Info, fieldpaths ...string) (Info, error)
        Usage(ctx context.Context, key string) (Usage, error)
        Mounts(ctx context.Context, key string) ([]mount.Mount, error)

        Prepare(ctx context.Context, key, parent string, opts ...Opt) ([]mount.Mount, error)
        View(ctx context.Context, key, parent string, opts ...Opt) ([]mount.Mount, error)

        Commit(ctx context.Context, name, key string, opts ...Opt) error
        Remove(ctx context.Context, key string) error

        Walk(ctx context.Context, fn WalkFunc, filters ...string) error
        Close() error
}

The responsibilities of each interface method can be understood as follows:

• Stat: query metadata of a snapshot key

  • Typical use: verify whether a snapshot exists, obtain parent-child relationships, state (Active / Committed / View), etc.

• Update: update selected fields of snapshot metadata (usually labels or descriptive information), where fieldpaths specifies the fields to update

  • Typical use: attach labels to existing snapshots, adjust GC behavior (for example containerd.io/gc.root).

• Usage: report disk usage and inode consumption of a snapshot

  • Typical use: quota control, cleanup policies, and monitoring storage usage.

• Mounts: given an existing snapshot key, return the []mount.Mount description required to mount it

  • Typical use: retrieve mount parameters without changing snapshot state (for example debugging or reusing an existing rootfs).

• Prepare: create a writable active snapshot from a parent snapshot and return the corresponding mount information

  • Typical use: allocate a writable layer (upperdir) for a container, which may later be committed or removed.

• View: create a read-only view from a parent snapshot and return mount information

  • Typical use: allow multiple read-only containers to share the same base image layer, or mount a committed snapshot for debugging.

• Commit: convert an active snapshot key into a new committed snapshot name

  • Typical use: after container build finishes, turn the writable layer into a new image layer or produce a customized base image.

• Remove: delete a snapshot key and its underlying resources

  • Typical use: reclaim disk space when containers or images are no longer needed; usually triggered by GC or explicitly by higher layers.

• Walk: iterate through all snapshots managed by the snapshotter, optionally filtered

  • Typical use: implement GC, diagnostic tools, or visualization (for example the traversal behind ctr snapshots ls/tree).

• Close: close the snapshotter and release internal resources

  • Typical use: during containerd shutdown or when standalone tools using a snapshotter exit.

From the containerd perspective, the minimal capabilities of a snapshotter can be summarized as:

• Create active or read-only snapshots from a parent (Prepare / View) and return the rootfs mount description ([]mount.Mount);
• Convert active snapshots into committed snapshots (Commit) and remove unused snapshots (Remove);
• Provide snapshot metadata (Stat), disk usage information (Usage), traversal (Walk), and metadata updates (Update).

---

3.1.1 Labels and Leases on Snapshots

When calling Prepare or View, you often see options such as snapshots.WithLabels(labels). These labels, together with containerd’s lease mechanism, determine why a snapshot exists and when it can be removed by GC.

• Labels: arbitrary key–value pairs attached to snapshots

  • Formally a map[string]string, written via snapshots.WithLabels or Update.

  • Which component consumes these labels depends on higher-level logic. Common uses include:

    • GC control: for example containerd.io/gc.root: <timestamp>. GC treats objects with this label as roots and will not delete them automatically.
    • Operational or debugging metadata: record owner, source, trace ID, etc.
    • Feature switches: some snapshotters or plugins interpret specific labels to enable or disable functionality.

• Leases: standalone “lease objects” that reference groups of resources

  • Managed by leases.Service. A lease can reference multiple resources such as content, snapshots, or containers.

  • As long as a lease exists, resources referenced by it will not be garbage-collected.

  • Typical uses:

    • When pulling images, unpacking, or building images, create a lease for the entire operation session and attach all intermediate snapshots and content to it.
    • After the operation completes (successfully or not), release the lease so that unused intermediate resources can be collected.

Recommended practices

• For short-lived snapshots or views tied to a container or session lifecycle, attach them to a lease and let the lease control their lifetime.
• For the rare cases where snapshots must be permanently pinned, use labels such as containerd.io/gc.root to mark them as GC roots.
• For business metadata or debugging information, simply attach custom labels (for example myruntime.view.owner=<container-id>).

Roughly speaking, labels describe what the object is and who owns it, while leases represent who is currently using it. Together they allow snapshots to safely exist temporarily or long-term under GC management.

A snapshotter itself is only responsible for storing and describing filesystem state. It does not directly hold mounts; mounting timing and lifecycle are controlled by the mount manager or by shim/runtime (see docs/mounts.md).

---

3.2 Block-Device-Based Snapshotters: devmapper and blockfile

3.2.1 Devmapper Snapshotter (Device-mapper thin-pool)

• Documentation: docs/snapshotters/devmapper.md
• Implementation: plugins/snapshots/devmapper/*

Core idea:

• Use the Linux Device-mapper thin-pool to allocate a thin device (logical block device) for each snapshot, and create an ext4 or xfs filesystem on top of it.
• Parent-child relationships between snapshots are represented through thin-pool block-level copy-on-write (CoW), making it suitable for storage-intensive and high-density container scenarios.

Mapping to the Snapshotter interface (selected examples):

• Prepare / View: create a new thin device and return a mount.Mount list using that device as the source.
• Commit: record snapshot metadata and usage statistics, then suspend/resume and deactivate the device to prevent accidental modification by other tools.
• Remove: delete snapshot metadata and call RemoveDevice to release the thin device.

---

3.2.2 Blockfile Snapshotter (Sparse File + loop/VM)

• Documentation: docs/snapshotters/blockfile.md

Core idea:

• Each snapshot corresponds to a disk image file (a sparse blockfile) containing a filesystem.
• Inheritance from the parent layer is implemented by copying the parent blockfile and applying the new layer diff.
• This design works well when containers run inside VMs, where the blockfile can be attached directly as a virtual disk.

Mapping to the Snapshotter interface:

• Prepare / View: create a new blockfile (either from scratch or copied from the parent), then return the corresponding mount.Mount description (often combined with loop/mkfs/mkdir transformers).
• Commit: associate the blockfile with snapshot metadata without additional diff computation.
• Remove: delete the blockfile and its metadata; sparse files help reduce actual disk usage.

Whether using overlayfs, devmapper, or blockfile, containerd always exposes the same Snapshotter interface and the same []mount.Mount description to upper layers. Implementation differences are fully encapsulated inside the snapshotter plugin. From the containerd perspective, the only concern is how to mount the resulting filesystem as the container rootfs.

---

4. Hands‑on Snapshotter Operations with ctr

4.1 Viewing Snapshotter Plugins

sudo ctr plugins ls | grep snapshotter

Example output:

io.containerd.snapshotter.v1           aufs                     linux/amd64    ok
io.containerd.snapshotter.v1           devmapper                linux/amd64    ok
io.containerd.snapshotter.v1           native                   linux/amd64    ok
io.containerd.snapshotter.v1           overlayfs                linux/amd64    ok

4.2 Creating and Committing Snapshots

sudo ctr images pull docker.io/library/busybox:latest
sudo ctr snapshots ls

Create an active snapshot:

sudo ctr snapshots prepare my-active-snap parent-snapshot

Commit it:

sudo ctr snapshots commit my-committed-snap my-active-snap

Remove it:

sudo ctr snapshots rm my-committed-snap

4.3 Debugging Mounts

ctr snapshots mounts /mnt/test-rootfs snapshot-key

This prints the exact mount command used to construct the rootfs.

---

5. Snapshot gRPC / Go API Entry Points

5.1 gRPC Definition

Defined in api/services/snapshots/v1/snapshots.proto:

service Snapshots {
  rpc Prepare(PrepareSnapshotRequest) returns (PrepareSnapshotResponse);
  rpc View(ViewSnapshotRequest) returns (ViewSnapshotResponse);
  rpc Mounts(MountsRequest) returns (MountsResponse);
  rpc Commit(CommitSnapshotRequest) returns (google.protobuf.Empty);
  rpc Remove(RemoveSnapshotRequest) returns (google.protobuf.Empty);
  rpc Stat(StatSnapshotRequest) returns (StatSnapshotResponse);
  rpc Update(UpdateSnapshotRequest) returns (UpdateSnapshotResponse);
  rpc List(ListSnapshotsRequest) returns (stream ListSnapshotsResponse);
  rpc Usage(UsageRequest) returns (UsageResponse);
  rpc Cleanup(CleanupRequest) returns (google.protobuf.Empty);
}

5.2 How ctr Uses the API

• ctr connects to containerd using gRPC;
• retrieves a SnapshotService client;
• invokes operations such as Prepare, View, Commit, Remove, and Usage.

---

6. Minimal Go Client Example

A minimal program demonstrating how to connect to containerd and create an active snapshot:

package main

import (
	"context"
	"fmt"
	"log"
	"time"

	containerd "github.com/containerd/containerd/v2/client"
	"github.com/containerd/containerd/v2/core/snapshots"
)

func main() {
	ctx := context.Background()

	client, err := containerd.New("/run/containerd/containerd.sock")
	if err != nil {
		log.Fatalf("connect containerd: %v", err)
	}
	defer client.Close()

	sn := client.SnapshotService("overlayfs")

	parent := "<existing-snapshot-name-or-chainid>"

	key := fmt.Sprintf("demo-rootfs-%d", time.Now().UnixNano())

	labels := map[string]string{
		"containerd.io/gc.root": time.Now().UTC().Format(time.RFC3339),
	}

	mounts, err := sn.Prepare(ctx, key, parent, snapshots.WithLabels(labels))
	if err != nil {
		log.Fatalf("prepare snapshot: %v", err)
	}

	fmt.Printf("Prepared snapshot %q (parent %q):\n", key, parent)
	for _, m := range mounts {
		fmt.Printf("- Type=%s Source=%s Target=%s Options=%v\n",
			m.Type, m.Source, m.Target, m.Options)
	}
}

[cmainas]

Thank you @sidneychang for the detailed explanation. Everything looks good.

[sidneychang]

Last week I also ran some preliminary startup latency tests in my prototype impletation.

In this prototype, the snapshot view is created in the shim before launching urunc. The idea is to prepare a read-only view of the container snapshot and expose the required artifacts (e.g., unikernel, initrd, and configuration files) to the runtime without directly copying them from the snapshot device.

To understand the impact of this approach on startup latency, I added instrumentation logs around the snapshot view creation path in the shim. The experiments were conducted using the nginx-qemu-linux-raw image.
To understand where the time is spent, I added logging and breakpoints to measure the duration of each step during snapshot view creation.

The results suggest that the dominant cost comes from the devmapper snapshot view creation itself. A typical run shows:

Operation	Duration
SnapshotService.View	~128 ms
view mount (mount.All)	~9 ms
lease operations (Create + AddResource)	~25 ms

This results in roughly ~170 ms of additional control-plane overhead in the startup path when the snapshot view is created.

For comparison, in the previous implementation we directly copied the required files (unikernel, initrd, and urunc.json) from the snapshot device. Based on instrumentation inside urunc, the file extraction path typically takes around 10–15 ms.

This difference is also reflected in the end-to-end startup measurements:

Mode	Avg startup time
no-view	~0.9 s
view	~1.1–1.2 s

From these preliminary results, the additional latency appears to come mainly from the control-plane operations required to create the snapshot view (interaction with containerd, snapshot service calls, and metadata updates).

For relatively small images such as redis or nginx, the snapshot view approach does not seem to reduce startup latency in our tests. The overhead of creating the view appears to outweigh the cost of copying a small number of files from the snapshot device.

That said, snapshot views may still be beneficial in other scenarios (for example larger images, repeated snapshot reuse, or cases where reducing filesystem duplication is more important than minimizing startup latency).

I would be interested to hear whether this observation aligns with the intended usage model of snapshot views, or if there are scenarios where this approach would be expected to perform better.

[cmainas]

Thank you @sidneychang for this early evaluation. To be honest, I was not expecting the snapshot creation to require that much time. On the other hand, the small overhead of copying files in urunc can be explained from the fact that these operations take place in tmpfs.

However, as you already mentioned snapshot views will be beneficial in some scenarios. I do not believe that these scenarios are larger images, since we are only interested in some specific files. However, in case we deploy multiple containers with the same image (and hence reducing duplication), snapshot views will perform better than copying files. For example with the numbers form the early evaluation spawning ~12 containers with the same image could have the same overhead as creating a single snapshot view and sharing it among all of the containers. Also, this overhead will affect entirely the first container and not the rest.

Another point that would be helpful to search is if the size of the image affects the time required for the creation of the view snapshot. If that is the case, then we can explore ways to decrease the size of the snapshot we are interested (e.g. only first layer of the image, I am not sure if this is possible).

[sidneychang]

Thank you for the suggestion. I also think that sharing the same snapshot view across multiple containers is a feasible direction. In fact, I had considered this possibility earlier as well. My main concern is how to properly manage the lifecycle of such a view. Since this view would not be created directly by containerd, we would need a mechanism to ensure that containerd can reclaim it at the appropriate time. I will investigate how this could be handled safely.

Regarding the snapshot size, I noticed that when containerd creates a view snapshot, most of the work seems to involve database updates and metadata writes. Because of that, I am not entirely sure whether the size of the selected layer actually has a significant impact on the creation time. Even if it does, interacting with containerd through APIs (for example when using lightweight operations like leases) already takes a few milliseconds. Therefore, it might be difficult for snapshot views alone to significantly improve container startup latency.

[sidneychang]

During some startup latency experiments with urunc + containerd + devmapper snapshotter, I observed several behaviors that might be interesting to share.

The goal of the experiment was to explore container startup latency under different snapshot usage patterns.

One important note about the environment: the experiments were conducted on a VM with relatively limited memory, but according to system monitoring during the tests, no swap space was used, so the observed latency does not appear to be related to swapping.

Testing Method

Originally, the testing pattern was:

1. Start a container
2. Stop it
3. Start the next container

Under this pattern, the startup latency remained relatively stable.

Later, to explore snapshot reuse behavior, the testing method was changed to:

1. Start a first container and keep it running
2. Repeatedly start and stop additional containers using the same image

Observation 1: Higher Startup Latency When Another Container Is Running

When using the devmapper snapshotter, it appears that if there is already a container running based on the same image, starting additional containers tends to have higher startup latency.

From instrumentation logs added around the runtime startup path, the increased latency is not due to urunc itself, but mainly comes from TaskService.Create().

Example results (baseline implementation without snapshot views):

[1/3] ensuring image is present (pull if missing)...
image already present locally, skipping pull

[2/3] starting first long-lived container (kept until tests finish)...
0.84
first container id: a160df0fd7c5

[3/3] running remaining containers while keeping the first one alive...

run 2 / 10   1.36
run 3 / 10   1.34
run 4 / 10   1.33
run 5 / 10   1.27
run 6 / 10   1.35
run 7 / 10   1.28
run 8 / 10   1.29
run 9 / 10   1.25
run 10 / 10  1.22

Compared with the first container startup (~0.8–1.0s), additional containers tend to start around 1.2–1.5s when another container based on the same image is already running.

Observation 2: Using a Shared Snapshot View

I experimented with an approach intended to reuse the snapshot view more explicitly:

Create a snapshot view

Mount the view block device on the host filesystem

Share the mounted filesystem with multiple containers via bind mounts

In other words, instead of letting each container mount its own snapshot, multiple containers reuse the same mounted filesystem derived from the snapshot view.

In this setup, I observed that container startup latency fluctuates significantly more, again mainly due to TaskService.Create, rather than urunc itself.

[1/3] ensuring image is present (pull if missing)...
image already present locally, skipping pull

[2/3] starting first long-lived container (kept until tests finish)...
1.16
first container id: 949808466484

[3/3] running remaining containers while keeping the first one alive...

run 2 / 10   1.44
run 3 / 10   1.52
run 4 / 10   1.18
run 5 / 10   1.30
run 6 / 10   1.47
run 7 / 10   1.40
run 8 / 10   1.48
run 9 / 10   1.51
run 10 / 10  1.73

At this stage, the focus is not on whether the view-based implementation is faster or slower, but rather on the latency variability observed during repeated container startups.

Overall, compared with the baseline pattern, the view-based approach showed noticeably larger startup latency variance in the tests.

I am continuing to investigate the underlying causes in the containerd snapshotter and runtime startup path, and I will update this thread if I find additional details.