LFx Mentorship (urunc Optimize rootfs handling with block-based snapshotters)

[cmainas]

Mentorship plan: Optimize rootfs handling with block-based snapshotters

This discussion outlines the proposed plan as discussed with @sidneychang for the CNCF mentorship project "Optimize rootfs handling with block-based snapshotters" for urunc.

The plan is structured into three phases. Each phase has clear goals and specific outcomes, along with suggested tasks and sub-tasks to help guide the work. The listed sub-tasks are meant as guidance and reference points, they are not strict requirements. The exact order of tasks within each phase can be adjusted as long as the main outcomes are achieved.

Phase 1

The goal of Phase 1 is to build the necessary background and get familiar with containerd and its snapshotters. This phase is expected to last up to 3 weeks (02/03/2026 – 22/03/2026). During this time, the focus will be on understanding contianerd, the various snapshotters, and getting familiar with snapshots.

Tentative tasks and sub-tasks

• Theoretical background (containerd):
  • Study containerd architecture (core, shim, plugins, etc.)
  • Explore the workflow in containerd to setup a container and its rootfs
  • Identify which components are used to create the environment for the container environment setup and what each component does
• Theoretical background (snapshotters):
  • Study how containerd makes use of the snapshotters to create the rootfs
  • Understand the minimum capabilities a snapshotter must implement
  • Explore the technologies behind the snapshotters and how they are used to implement the operations that containerd requested (focus mostly on block-based ones).
• Hands on with containerd's API for snapshotters:
  • Using the ctr command play around with the snapshotters creating various snapshots and validating the theoretical background
  • Explore the API that ctr uses to communicate with containerd and perform the snapshot operations
  • Create a small client that communicates with containerd and sets up snapshots for the container's rootfs

Outcomes

Deadline: Completed no later than 22/03/2026 (AoE).
Description: A report with:

• the theoretical background of containerd's architecture with the workflow for the container creation and snaphotters
• the findings from the hands on exploration with the ctr tool and API
• the client that uses containerd's API to manage snapshots
• a report summarizing all the work

Phase 2

The goal of Phase 2 is to apply the knowledge gained in Phase 1 to urunc and begin implementing the use of view snapshots for obtaining the required boot files for the monitors. This phase is expected to last up to 5 weeks (23/03/2026 – 03/05/2026). During this time, the focus will shift to the practical implementation within urunc.

Tentative tasks and sub-tasks

• Getting familiar with urunc:
  • Set up an environment with urunc
  • Execute existing images with urunc
  • Build custom images with bunny and execute them with urunc
  • Understand the workflow to prepare the container's rootfs as the rootfs for the sandbox
• Create a Proof of Concept
  • Identify which parts of urunc should change to communicate with containerd
  • Create a high level overview of the required changes and how the new snapshots will get created
  • Begin the implementation in a branch with the rough changes that resolve the issue.
• Upstream the necessary changes:
  • Form the PoC from rough patches to a series of commits that can be merged.
  • Open PR and iterate over the necessary changes to merge it.
• Enhancing with further tests:
  • Provide the necessary testing for the new changes adding unit and integration tests
  • Create end to end tests to verify the correctness of the solution

Outcomes:

Deadline: Completed no later than 02/05/2026 (AoE).
Description: The following items:

1. A report with the high level overview of the changes, the implementation plan and a PoC
2. First PRs to support the view snapshots

Phase 3

The goal of Phase 3 is to finalize and polish the integration of view snapshots for obtaining the necessary boot files for the monitors.
This phase will also include an evaluation to demonstrate the benefits of the new approach (view snapshots) compared to the previous method (mounting and copying files). This phase is expected to last up to 4 weeks (04/05/2026 – 28/05/2026), with an emphasis on refinement, validation, and broader ecosystem exploration. During this period, the focus will be on refining the implementation, validating the design decisions through evaluation, and exploring related approaches in other high level runtimes.

Tentative tasks and sub-tasks

• Finish up the support of view snapshots:
  • Merge all necessary PRs for the support of view snapshots
  • Finish up with unit, integration and e2e tests.
• Evaluation:
  • Measure the execution time eith the view snapshots vs the old approach of (copying)
  • Measure the storage overhead of each approach
• Expanding the current support:
  • Explore how other runtimes (e.g. CRI-O and podman) setup the rootfs for the containerd
  • Explore how urunc can perform the same setup steps for block-based rootfs in other runtimes
  • Analyze the necessary changes to follow a similar approach with containerd for the other runtimes

Outcomes:

Deadline:: Completed no later than 29/05/2026 (AoE).
Description: The following items:

1. Merge all PRs with the support, testing etc.
2. A report with the:
   • evaluation results
   • findings from the exploration with the other runtimes

[cmainas]

Hello @sidneychang , please take a look of the above plan as discussed earlier and let me know if I missed anything or for any mistakes.

[sidneychang]

The following content captures my current understanding and findings from this week's exploration of containerd, rootfs setup, and snapshotters. It may still contain incomplete sections or inaccuracies, and I will continue improving and refining it as I explore the topic further.

1. Overall Architecture and Container rootfs Construction Workflow

• Positioning and Core Components

  • containerd sits between upper layers (Docker, kubelet, etc.) and lower‑level OCI runtimes (such as runc):
    • Content Store: stores image layers and other blobs using content hashes;
    • Snapshotter: builds mountable snapshots (overlayfs, btrfs, zfs, devmapper, etc.) based on layers in the Content Store;
    • Image Service: combines manifest/config/layers into the “image” abstraction and supports Pull/Push/Unpack;
    • Container Service: manages container objects (ID, rootfs snapshot name, OCI spec, runtime type, etc.);
    • Task Service: creates, starts, and stops tasks based on container objects and rootfs;
    • Shim + Runtime: the shim process and an OCI runtime (such as runc) jointly create and run the actual container process.

• Typical Workflow (From Image to Task)

A typical example appears in docs/features.md:

// 1. Pull the image and unpack it into the snapshotter
image, err := client.Pull(context, "docker.io/library/redis:latest", containerd.WithPullUnpack)

// 2. Allocate a rootfs and OCI spec for the container based on the image
redis, err := client.NewContainer(context, "redis-master",
	containerd.WithNewSnapshot("redis-rootfs", image),
	containerd.WithNewSpec(oci.WithImageConfig(image)),
)

// 3. Turn the container object into a runnable task
task, err := redis.NewTask(context, cio.NewCreator(cio.WithStdio))
defer task.Delete(context)

pid := task.Pid()
err = task.Start(context)
status, err := task.Wait(context)

This workflow can be abstracted as:

1. Pull + Unpack: store image layers in the Content Store and unpack them into a chain of read‑only snapshots through the snapshotter;
2. Container object: records the rootfs snapshot name and the complete OCI spec;
3. Task creation: Task Service + shim/runtime transform the container + rootfs into a runnable process;
4. Start / Wait / Delete: manage the lifecycle of the task.

---

2. rootfs Preparation and the Role of Snapshotter

2.1 InitRootFS: From Snapshot to rootfs

In pkg/rootfs/init.go, InitRootFS is the key entry point for rootfs initialization:

// InitRootFS initializes the snapshot for use as a rootfs
func InitRootFS(ctx context.Context, name string, parent digest.Digest, readonly bool, snapshotter snapshots.Snapshotter, mounter Mounter) ([]mount.Mount, error) {
	_, err := snapshotter.Stat(ctx, name)
	if err == nil {
		return nil, errors.New("rootfs already exists")
	}

	parentS := parent.String()

	initName := defaultInitializer
	initFn := initializers[initName]
	if initFn != nil {
		parentS, err = createInitLayer(ctx, parentS, initName, initFn, snapshotter, mounter)
		if err != nil {
			return nil, err
		}
	}

	if readonly {
		return snapshotter.View(ctx, name, parentS)
	}

	return snapshotter.Prepare(ctx, name, parentS)
}

Key points:

• parent is usually the top snapshot (or its digest) of the image rootfs;
• In read‑only scenarios, View is called to create a snapshot view that can be shared by multiple containers;
• In read‑write scenarios, Prepare is called to create an active snapshot used as the container’s writable layer;
• The return type is []mount.Mount, meaning a set of mount descriptions;
• Each mount.Mount includes Type (filesystem type), Source (device or directory), Target (mount point), and Options;
• InitRootFS itself does not perform the final mount of rootfs. It only returns a description of how rootfs should be mounted. The actual mount occurs later in the Task/shim stage.

2.2 Task and Shim: How rootfs Is Actually Used

• In the Task gRPC interface (api/services/tasks/v1/tasks.proto), the CreateTaskRequest.rootfs field is used to pass the pre‑chroot mount list;
• Task Service assembles container metadata (including OCI spec and runtime configuration) together with CreateTaskRequest.rootfs into runtime.CreateOpts;
• runtime v2 starts a shim, which then:
  • mounts the rootfs according to the mount.Mount list;
  • invokes the OCI runtime (runc) to execute the container process;
  • handles I/O forwarding and state reporting.

Thus, the snapshotter provides a mountable rootfs description, while the actual mounting and execution are performed by shim/runtime.

2.3 End‑to‑End rootfs Lifecycle

2.3 End-to-End Rootfs Flow (From Image to Process)

By connecting the pieces described above, we can derive a more complete lifecycle of the rootfs:

1. Pull + Unpack: Build the image snapshot chain

• client.Pull(..., containerd.WithPullUnpack): the Image Service stores the image layer blobs in the Content Store;
• the snapshotter creates a chain of read-only committed snapshots based on the layers (usually named by each layer’s diffID / chainID).

2. Determine the parent: choose the root snapshot

• For a given image, image.RootFS() together with identity.ChainID(...) is used to obtain the top-level chainID, which serves as the parent snapshot of the rootfs (i.e., the parent mentioned above).

3. Allocate a rootfs snapshot for a specific container

• Writable container: call Prepare (e.g., WithNewSnapshot or InitRootFS(..., readonly=false, ...)) to obtain an active snapshot key and the corresponding []mount.Mount;
• Read-only container: call View (e.g., WithNewSnapshotView or InitRootFS(..., readonly=true, ...)) to obtain a read-only view key and []mount.Mount;
• At this step, the snapshot is only registered in the snapshotter metadata and a mount description is returned; it has not yet been mounted to any directory.

4. Create the Container object: record rootfs information

• The Container Service creates a containers.Container entry that records:

  • the snapshotter name and the SnapshotKey (the key from the previous step);
  • the OCI spec related to the image or workload (including the rootfs path, whether it is read-only, etc.).

5. Create the Task: rootfs mount information enters the Task Service

• When container.NewTask(...) is called, the Task Service will:

  • retrieve the rootfs []mount.Mount from the snapshotter (or directly use the mount description passed from the previous step);
  • place it into CreateTaskRequest.rootfs, and send it together with the OCI spec and runtime name to the shim/runtime.

6. shim/runtime stage: perform the actual rootfs mount and start the process

• After the shim receives CreateTaskRequest, inside the container bundle directory it will:

  • execute mounts one by one according to rootfs []mount.Mount (usually mounting to bundle/rootfs);
  • invoke the OCI runtime (such as runc create / runc start), where the runtime performs pivot_root or chroot on this rootfs and finally starts the container process.

7. Cleanup and reclamation

• When the Task is deleted, the shim is responsible for unmounting the rootfs and related mount points;

• At the upper layer, depending on policy:

  • an active snapshot may call Commit (to produce a new image layer) or Remove (discard it directly);
  • a View snapshot is usually removed directly when no longer needed, while the actual reclamation of underlying resources is handled by GC/lease/label mechanisms.

This shows clearly how the rootfs evolves from “a chain of committed snapshots built from image layers” into “the / filesystem seen by the container process.” In between, the main steps are: snapshotter (Prepare/View) → Container/Task Service (assemble rootfs mount descriptions) → shim/runtime (perform the actual mount and pivot_root).

---

3. Snapshotter Abstraction and Minimal Capabilities

3.1 Snapshotter Interface and Lifecycle

The unified snapshotter interface is defined in core/snapshots/snapshotter.go:

type Snapshotter interface {
        Stat(ctx context.Context, key string) (Info, error)
        Update(ctx context.Context, info Info, fieldpaths ...string) (Info, error)
        Usage(ctx context.Context, key string) (Usage, error)
        Mounts(ctx context.Context, key string) ([]mount.Mount, error)

        Prepare(ctx context.Context, key, parent string, opts ...Opt) ([]mount.Mount, error)
        View(ctx context.Context, key, parent string, opts ...Opt) ([]mount.Mount, error)

        Commit(ctx context.Context, name, key string, opts ...Opt) error
        Remove(ctx context.Context, key string) error

        Walk(ctx context.Context, fn WalkFunc, filters ...string) error
        Close() error
}

The responsibilities of each interface method can be understood as follows:

• Stat: query metadata of a snapshot key

  • Typical use: verify whether a snapshot exists, obtain parent-child relationships, state (Active / Committed / View), etc.

• Update: update selected fields of snapshot metadata (usually labels or descriptive information), where fieldpaths specifies the fields to update

  • Typical use: attach labels to existing snapshots, adjust GC behavior (for example containerd.io/gc.root).

• Usage: report disk usage and inode consumption of a snapshot

  • Typical use: quota control, cleanup policies, and monitoring storage usage.

• Mounts: given an existing snapshot key, return the []mount.Mount description required to mount it

  • Typical use: retrieve mount parameters without changing snapshot state (for example debugging or reusing an existing rootfs).

• Prepare: create a writable active snapshot from a parent snapshot and return the corresponding mount information

  • Typical use: allocate a writable layer (upperdir) for a container, which may later be committed or removed.

• View: create a read-only view from a parent snapshot and return mount information

  • Typical use: allow multiple read-only containers to share the same base image layer, or mount a committed snapshot for debugging.

• Commit: convert an active snapshot key into a new committed snapshot name

  • Typical use: after container build finishes, turn the writable layer into a new image layer or produce a customized base image.

• Remove: delete a snapshot key and its underlying resources

  • Typical use: reclaim disk space when containers or images are no longer needed; usually triggered by GC or explicitly by higher layers.

• Walk: iterate through all snapshots managed by the snapshotter, optionally filtered

  • Typical use: implement GC, diagnostic tools, or visualization (for example the traversal behind ctr snapshots ls/tree).

• Close: close the snapshotter and release internal resources

  • Typical use: during containerd shutdown or when standalone tools using a snapshotter exit.

From the containerd perspective, the minimal capabilities of a snapshotter can be summarized as:

• Create active or read-only snapshots from a parent (Prepare / View) and return the rootfs mount description ([]mount.Mount);
• Convert active snapshots into committed snapshots (Commit) and remove unused snapshots (Remove);
• Provide snapshot metadata (Stat), disk usage information (Usage), traversal (Walk), and metadata updates (Update).

---

3.1.1 Labels and Leases on Snapshots

When calling Prepare or View, you often see options such as snapshots.WithLabels(labels). These labels, together with containerd’s lease mechanism, determine why a snapshot exists and when it can be removed by GC.

• Labels: arbitrary key–value pairs attached to snapshots

  • Formally a map[string]string, written via snapshots.WithLabels or Update.

  • Which component consumes these labels depends on higher-level logic. Common uses include:

    • GC control: for example containerd.io/gc.root: <timestamp>. GC treats objects with this label as roots and will not delete them automatically.
    • Operational or debugging metadata: record owner, source, trace ID, etc.
    • Feature switches: some snapshotters or plugins interpret specific labels to enable or disable functionality.

• Leases: standalone “lease objects” that reference groups of resources

  • Managed by leases.Service. A lease can reference multiple resources such as content, snapshots, or containers.

  • As long as a lease exists, resources referenced by it will not be garbage-collected.

  • Typical uses:

    • When pulling images, unpacking, or building images, create a lease for the entire operation session and attach all intermediate snapshots and content to it.
    • After the operation completes (successfully or not), release the lease so that unused intermediate resources can be collected.

Recommended practices

• For short-lived snapshots or views tied to a container or session lifecycle, attach them to a lease and let the lease control their lifetime.
• For the rare cases where snapshots must be permanently pinned, use labels such as containerd.io/gc.root to mark them as GC roots.
• For business metadata or debugging information, simply attach custom labels (for example myruntime.view.owner=<container-id>).

Roughly speaking, labels describe what the object is and who owns it, while leases represent who is currently using it. Together they allow snapshots to safely exist temporarily or long-term under GC management.

A snapshotter itself is only responsible for storing and describing filesystem state. It does not directly hold mounts; mounting timing and lifecycle are controlled by the mount manager or by shim/runtime (see docs/mounts.md).

---

3.2 Block-Device-Based Snapshotters: devmapper and blockfile

3.2.1 Devmapper Snapshotter (Device-mapper thin-pool)

• Documentation: docs/snapshotters/devmapper.md
• Implementation: plugins/snapshots/devmapper/*

Core idea:

• Use the Linux Device-mapper thin-pool to allocate a thin device (logical block device) for each snapshot, and create an ext4 or xfs filesystem on top of it.
• Parent-child relationships between snapshots are represented through thin-pool block-level copy-on-write (CoW), making it suitable for storage-intensive and high-density container scenarios.

Mapping to the Snapshotter interface (selected examples):

• Prepare / View: create a new thin device and return a mount.Mount list using that device as the source.
• Commit: record snapshot metadata and usage statistics, then suspend/resume and deactivate the device to prevent accidental modification by other tools.
• Remove: delete snapshot metadata and call RemoveDevice to release the thin device.

---

3.2.2 Blockfile Snapshotter (Sparse File + loop/VM)

• Documentation: docs/snapshotters/blockfile.md

Core idea:

• Each snapshot corresponds to a disk image file (a sparse blockfile) containing a filesystem.
• Inheritance from the parent layer is implemented by copying the parent blockfile and applying the new layer diff.
• This design works well when containers run inside VMs, where the blockfile can be attached directly as a virtual disk.

Mapping to the Snapshotter interface:

• Prepare / View: create a new blockfile (either from scratch or copied from the parent), then return the corresponding mount.Mount description (often combined with loop/mkfs/mkdir transformers).
• Commit: associate the blockfile with snapshot metadata without additional diff computation.
• Remove: delete the blockfile and its metadata; sparse files help reduce actual disk usage.

Whether using overlayfs, devmapper, or blockfile, containerd always exposes the same Snapshotter interface and the same []mount.Mount description to upper layers. Implementation differences are fully encapsulated inside the snapshotter plugin. From the containerd perspective, the only concern is how to mount the resulting filesystem as the container rootfs.

---

4. Hands‑on Snapshotter Operations with ctr

4.1 Viewing Snapshotter Plugins

sudo ctr plugins ls | grep snapshotter

Example output:

io.containerd.snapshotter.v1           aufs                     linux/amd64    ok
io.containerd.snapshotter.v1           devmapper                linux/amd64    ok
io.containerd.snapshotter.v1           native                   linux/amd64    ok
io.containerd.snapshotter.v1           overlayfs                linux/amd64    ok

4.2 Creating and Committing Snapshots

sudo ctr images pull docker.io/library/busybox:latest
sudo ctr snapshots ls

Create an active snapshot:

sudo ctr snapshots prepare my-active-snap parent-snapshot

Commit it:

sudo ctr snapshots commit my-committed-snap my-active-snap

Remove it:

sudo ctr snapshots rm my-committed-snap

4.3 Debugging Mounts

ctr snapshots mounts /mnt/test-rootfs snapshot-key

This prints the exact mount command used to construct the rootfs.

---

5. Snapshot gRPC / Go API Entry Points

5.1 gRPC Definition

Defined in api/services/snapshots/v1/snapshots.proto:

service Snapshots {
  rpc Prepare(PrepareSnapshotRequest) returns (PrepareSnapshotResponse);
  rpc View(ViewSnapshotRequest) returns (ViewSnapshotResponse);
  rpc Mounts(MountsRequest) returns (MountsResponse);
  rpc Commit(CommitSnapshotRequest) returns (google.protobuf.Empty);
  rpc Remove(RemoveSnapshotRequest) returns (google.protobuf.Empty);
  rpc Stat(StatSnapshotRequest) returns (StatSnapshotResponse);
  rpc Update(UpdateSnapshotRequest) returns (UpdateSnapshotResponse);
  rpc List(ListSnapshotsRequest) returns (stream ListSnapshotsResponse);
  rpc Usage(UsageRequest) returns (UsageResponse);
  rpc Cleanup(CleanupRequest) returns (google.protobuf.Empty);
}

5.2 How ctr Uses the API

• ctr connects to containerd using gRPC;
• retrieves a SnapshotService client;
• invokes operations such as Prepare, View, Commit, Remove, and Usage.

---

6. Minimal Go Client Example

A minimal program demonstrating how to connect to containerd and create an active snapshot:

package main

import (
	"context"
	"fmt"
	"log"
	"time"

	containerd "github.com/containerd/containerd/v2/client"
	"github.com/containerd/containerd/v2/core/snapshots"
)

func main() {
	ctx := context.Background()

	client, err := containerd.New("/run/containerd/containerd.sock")
	if err != nil {
		log.Fatalf("connect containerd: %v", err)
	}
	defer client.Close()

	sn := client.SnapshotService("overlayfs")

	parent := "<existing-snapshot-name-or-chainid>"

	key := fmt.Sprintf("demo-rootfs-%d", time.Now().UnixNano())

	labels := map[string]string{
		"containerd.io/gc.root": time.Now().UTC().Format(time.RFC3339),
	}

	mounts, err := sn.Prepare(ctx, key, parent, snapshots.WithLabels(labels))
	if err != nil {
		log.Fatalf("prepare snapshot: %v", err)
	}

	fmt.Printf("Prepared snapshot %q (parent %q):\n", key, parent)
	for _, m := range mounts {
		fmt.Printf("- Type=%s Source=%s Target=%s Options=%v\n",
			m.Type, m.Source, m.Target, m.Options)
	}
}

[cmainas]

Thank you @sidneychang for the detailed explanation. Everything looks good.

[sidneychang]

Last week I also ran some preliminary startup latency tests in my prototype impletation.

In this prototype, the snapshot view is created in the shim before launching urunc. The idea is to prepare a read-only view of the container snapshot and expose the required artifacts (e.g., unikernel, initrd, and configuration files) to the runtime without directly copying them from the snapshot device.

To understand the impact of this approach on startup latency, I added instrumentation logs around the snapshot view creation path in the shim. The experiments were conducted using the nginx-qemu-linux-raw image.
To understand where the time is spent, I added logging and breakpoints to measure the duration of each step during snapshot view creation.

The results suggest that the dominant cost comes from the devmapper snapshot view creation itself. A typical run shows:

Operation	Duration
SnapshotService.View	~128 ms
view mount (mount.All)	~9 ms
lease operations (Create + AddResource)	~25 ms

This results in roughly ~170 ms of additional control-plane overhead in the startup path when the snapshot view is created.

For comparison, in the previous implementation we directly copied the required files (unikernel, initrd, and urunc.json) from the snapshot device. Based on instrumentation inside urunc, the file extraction path typically takes around 10–15 ms.

This difference is also reflected in the end-to-end startup measurements:

Mode	Avg startup time
no-view	~0.9 s
view	~1.1–1.2 s

From these preliminary results, the additional latency appears to come mainly from the control-plane operations required to create the snapshot view (interaction with containerd, snapshot service calls, and metadata updates).

For relatively small images such as redis or nginx, the snapshot view approach does not seem to reduce startup latency in our tests. The overhead of creating the view appears to outweigh the cost of copying a small number of files from the snapshot device.

That said, snapshot views may still be beneficial in other scenarios (for example larger images, repeated snapshot reuse, or cases where reducing filesystem duplication is more important than minimizing startup latency).

I would be interested to hear whether this observation aligns with the intended usage model of snapshot views, or if there are scenarios where this approach would be expected to perform better.

[cmainas]

Thank you @sidneychang for this early evaluation. To be honest, I was not expecting the snapshot creation to require that much time. On the other hand, the small overhead of copying files in urunc can be explained from the fact that these operations take place in tmpfs.

However, as you already mentioned snapshot views will be beneficial in some scenarios. I do not believe that these scenarios are larger images, since we are only interested in some specific files. However, in case we deploy multiple containers with the same image (and hence reducing duplication), snapshot views will perform better than copying files. For example with the numbers form the early evaluation spawning ~12 containers with the same image could have the same overhead as creating a single snapshot view and sharing it among all of the containers. Also, this overhead will affect entirely the first container and not the rest.

Another point that would be helpful to search is if the size of the image affects the time required for the creation of the view snapshot. If that is the case, then we can explore ways to decrease the size of the snapshot we are interested (e.g. only first layer of the image, I am not sure if this is possible).

[sidneychang]

Thank you for the suggestion. I also think that sharing the same snapshot view across multiple containers is a feasible direction. In fact, I had considered this possibility earlier as well. My main concern is how to properly manage the lifecycle of such a view. Since this view would not be created directly by containerd, we would need a mechanism to ensure that containerd can reclaim it at the appropriate time. I will investigate how this could be handled safely.

Regarding the snapshot size, I noticed that when containerd creates a view snapshot, most of the work seems to involve database updates and metadata writes. Because of that, I am not entirely sure whether the size of the selected layer actually has a significant impact on the creation time. Even if it does, interacting with containerd through APIs (for example when using lightweight operations like leases) already takes a few milliseconds. Therefore, it might be difficult for snapshot views alone to significantly improve container startup latency.

[sidneychang]

During some startup latency experiments with urunc + containerd + devmapper snapshotter, I observed several behaviors that might be interesting to share.

The goal of the experiment was to explore container startup latency under different snapshot usage patterns.

One important note about the environment: the experiments were conducted on a VM with relatively limited memory, but according to system monitoring during the tests, no swap space was used, so the observed latency does not appear to be related to swapping.

Testing Method

Originally, the testing pattern was:

1. Start a container
2. Stop it
3. Start the next container

Under this pattern, the startup latency remained relatively stable.

Later, to explore snapshot reuse behavior, the testing method was changed to:

1. Start a first container and keep it running
2. Repeatedly start and stop additional containers using the same image

Observation 1: Higher Startup Latency When Another Container Is Running

When using the devmapper snapshotter, it appears that if there is already a container running based on the same image, starting additional containers tends to have higher startup latency.

From instrumentation logs added around the runtime startup path, the increased latency is not due to urunc itself, but mainly comes from TaskService.Create().

Example results (baseline implementation without snapshot views):

[1/3] ensuring image is present (pull if missing)...
image already present locally, skipping pull

[2/3] starting first long-lived container (kept until tests finish)...
0.84
first container id: a160df0fd7c5

[3/3] running remaining containers while keeping the first one alive...

run 2 / 10   1.36
run 3 / 10   1.34
run 4 / 10   1.33
run 5 / 10   1.27
run 6 / 10   1.35
run 7 / 10   1.28
run 8 / 10   1.29
run 9 / 10   1.25
run 10 / 10  1.22

Compared with the first container startup (~0.8–1.0s), additional containers tend to start around 1.2–1.5s when another container based on the same image is already running.

Observation 2: Using a Shared Snapshot View

I experimented with an approach intended to reuse the snapshot view more explicitly:

Create a snapshot view

Mount the view block device on the host filesystem

Share the mounted filesystem with multiple containers via bind mounts

In other words, instead of letting each container mount its own snapshot, multiple containers reuse the same mounted filesystem derived from the snapshot view.

In this setup, I observed that container startup latency fluctuates significantly more, again mainly due to TaskService.Create, rather than urunc itself.

[1/3] ensuring image is present (pull if missing)...
image already present locally, skipping pull

[2/3] starting first long-lived container (kept until tests finish)...
1.16
first container id: 949808466484

[3/3] running remaining containers while keeping the first one alive...

run 2 / 10   1.44
run 3 / 10   1.52
run 4 / 10   1.18
run 5 / 10   1.30
run 6 / 10   1.47
run 7 / 10   1.40
run 8 / 10   1.48
run 9 / 10   1.51
run 10 / 10  1.73

At this stage, the focus is not on whether the view-based implementation is faster or slower, but rather on the latency variability observed during repeated container startups.

Overall, compared with the baseline pattern, the view-based approach showed noticeably larger startup latency variance in the tests.

I am continuing to investigate the underlying causes in the containerd snapshotter and runtime startup path, and I will update this thread if I find additional details.

[cmainas]

Hello @sidneychang ,

thank you for this information and the evaluation.

I have a few questions and some comments that it would be nice if we could discuss.

• There might be a chance that the execution environment is responsible for the higher overhead you encountered when a container was already running. If the VM does not have anough cores (e.g. 1,2) and a urunc container is already running then the monitor process will try to use one core and there will be high competition for the available cores. If the VM has enough cores the above is false.
• You mention that the overhead seems to appear when we start new containers with the same image. Does the overhead also occur for containers with different images?
• In the case where a snapshot view is used, you mention that the containers share the view snapshot through a bind mount. What is the snapshotter used for the rootfs of the containers in that case? Does the same behavior appears without the view snapshot?

[sidneychang]

I reran the snapshot-view experiments on a much stronger machine than the one used in earlier rounds, so the absolute startup times are better across the board.
This test machine is:

• 2 x AMD EPYC 9474F 48-Core
• 192 CPUs
• 250 GiB RAM
• much faster storage than the previous setup

Summary

The current snapshot-view implementation is working correctly in terms of reuse, but on devmapper it is still not improving startup latency. In serial startup it is slightly slower than the original path, and under concurrency it is clearly slower.
The key point is that the slowdown is not caused by accidentally creating one view per container. I have verified that reuse is already happening. The remaining cost comes from the creation of the first shared view, and under concurrency the other containers still have to wait for that shared view to become ready.

How the current implementation works

The current implementation creates one shared read-only view per root snapshot and reuses it across containers. Conceptually, it does this:

  viewKey = (snapshotter, namespace, rootSnapshotKey)
  sharedViewID = hash(viewKey)
  sharedMountPath = /run/urunc/shared-views/<sharedViewID>/data

At create time, the shim:

1. resolves the container snapshot
2. for devmapper, walks to the committed parent snapshot
3. computes a shared key from (snapshotter, namespace, snapshotKey)
4. creates or reuses a shared read-only snapshot view
5. mounts it under /run/urunc/shared-views//data
6. injects that path into the bundle config
7. lets urunc read unikernel, initrd, and urunc.json from that shared view instead of copying them out of the active rootfs

At delete time, it removes the container’s usage marker, and only the last user removes the shared view.

So the design already does shared reuse. The question is not whether reuse exists, but why latency is still worse.

Why the view path is slower

The main reason is that this path is additive, not substitutive.
The normal containerd startup path still needs to prepare the container’s active rootfs snapshot. The snapshot-view optimization does not remove that work. It adds another control-plane step on top in order to avoid copying a few files.
In simplified form:

• original path:
  • prepare active snapshot
  • start container
• snapshot-view path:
  • prepare active snapshot
  • create/reuse shared read-only view
  • mount shared view
  • inject path / manage lifecycle
  • start container
    So we are trading:
• removed work:
  • copying unikernel
  • copying initrd
  • copying urunc.json
    for:
• added work:
  • SnapshotService.View()
  • shared mount setup
  • lifecycle bookkeeping
  • config injection
  • cleanup coordination
    On devmapper, that added control-plane cost is still larger than the copy cost we remove.

Test method

For serial startup, I ran 10 starts and kept the first container. Every later container was deleted immediately after startup. The command shape was:

  nerdctl run -d \
    --snapshotter devmapper \
    --runtime io.containerd.urunc.v2 \
    harbor.nbfc.io/nubificus/urunc/nginx-qemu-linux-raw:latest

The serial script logic was:

  for i in $(seq 0 9); do
    name="nginx-raw-bench-$i"
    start_ms=$(date +%s%3N)

    nerdctl run -d \
      --name "$name" \
      --snapshotter devmapper \
      --runtime io.containerd.urunc.v2 \
      harbor.nbfc.io/nubificus/urunc/nginx-qemu-linux-raw:latest >/dev/null

    end_ms=$(date +%s%3N)
    echo "$name $((end_ms - start_ms))"

    if [ "$i" -ne 0 ]; then
      nerdctl rm -f "$name" >/dev/null
    fi
  done

For parallel startup, we launched 10 containers concurrently:

  batch_start=$(date +%s%3N)

  for i in $(seq 0 9); do
    (
      name="nginx-raw-par-$i"
      start_ms=$(date +%s%3N)

      nerdctl run -d \
        --name "$name" \
        --snapshotter devmapper \
        --runtime io.containerd.urunc.v2 \
        harbor.nbfc.io/nubificus/urunc/nginx-qemu-linux-raw:latest >/dev/null

      end_ms=$(date +%s%3N)
      echo "$name $((end_ms - start_ms))" >> /tmp/parallel-times.txt
    ) &
  done

  wait
  batch_end=$(date +%s%3N)
  echo "batch_total_ms=$((batch_end - batch_start))"

Results

Warm serial startup:

• original path:
  • first run: 709 ms
  • repeated runs average: 511.33 ms
• snapshot-view path:
  • first run: 737 ms
  • repeated runs average: 520.89 ms

So in steady-state serial startup, the snapshot-view path was slightly slower.

10-way parallel startup:

• original path:
  • batch total: 1930 ms
  • per-container average: 1507.60 ms
• snapshot-view path:
  • batch total: 2712 ms
  • per-container average: 2573.70 ms

So under concurrency, the gap becomes much larger.

Profiling evidence

To understand where the time went, I added startup profiling.

The most important finding is that the current implementation does reuse the shared view:

• in a 10-container parallel run, only one real SnapshotService.View() happened
• the other 9 containers reused the shared mount

This rules out “one view per container” as the explanation.

But profiling also showed why latency is still poor:

• in serial runs:
  • create_snapshot_view.total: about 120.90 ms average
  • shared_view.snapshot_view: about 111.10 ms average
• in the 10-way parallel run:
  • one actual SnapshotService.View() took 641 ms
  • the other containers were effectively gated by that first creation

Then I reduced the lock scope around shared-view lifecycle management. That helped serial startup and removed lock contention as the main suspect:

• serial average improved from 777.20 ms to 714.50 ms

However, parallel startup still did not improve meaningfully:

• one real SnapshotService.View() still took about 807 ms
• the other containers simply waited for the shared view to become ready

So after that change, the bottleneck was no longer lock contention. The bottleneck was the cost of the first shared view creation itself.

Conclusion

At this point, the evidence suggests:

• the slowdown is not caused by duplicate view creation
• on devmapper, the cost of creating the first shared view is still too high relative to the copy cost we remove
• under concurrency, all containers still depend on that first shared view becoming ready

So in its current form, this snapshot-view approach behaves more like a storage/layout optimization than a startup-latency optimization.

[sidneychang]

I have recently been looking into the startup behavior of devmapper snapshotter in our scenario, and my impression is that its overhead on the startup path is already relatively high by itself, and this issue may become even more visible under concurrent startup.

From the implementation model, devmapper snapshotter does not work like overlayfs, which directly stacks layers on host directories. Instead, it first creates block-device snapshots based on a device-mapper thin-pool, and then mounts a filesystem on top of those block devices. As a result, the startup path usually includes additional steps such as device creation, temporary mount operations, filesystem initialization, and metadata handling. This is valuable for scenarios that need block-device semantics, but it also means these operations are more likely to end up on the critical startup path. The official documentation also explicitly requires preparing a thin-pool and configuring parameters such as pool_name and base_image_size: containerd devmapper snapshotter docs.

In my own tests, the extra overhead introduced by concurrent startup is quite significant, and I found that similar behavior has already been observed by others in the community. For example, in containerd issue #12335, someone analyzed the case of starting 100 Pods concurrently and pointed out that device creation and mount.WithTempMount inside prepare rootfs fall into the same global transaction path, which makes rootfs preparation close to serialized and leads to noticeable tail latency between the first and last ready instances.

In addition, there have already been reports that devmapper is significantly slower than overlayfs during image pull and first-run preparation. In containerd discussion #6625, users reported substantial degradation in image pulling time with devmapper. This makes me think that the overhead is not just caused by one isolated implementation detail, but may instead be related to the block-device preparation path itself, which is independent of urunc.

In earlier discussions, we had planned to introduce a view to avoid one extra copy. But now I increasingly suspect that this view may not actually provide real acceleration. Although it may save a small amount of copy time (which is actually very small in practice), it also means adding one more object creation and handling step on top of the existing devmapper path. Under concurrency, that extra work is unlikely to be a net gain, and may instead further amplify the startup bottleneck that already exists.

So my current tentative conclusion is that, for devmapper snapshotter, concurrent startup is already an important issue that deserves attention; and on top of that, introducing a view may not be an effective optimization strategy. That said, this is still not my final conclusion, and I will continue doing more tests to verify it. If possible, we may also explore whether some optimizations or adaptations can be made on the urunc side for block-device-based snapshotters.

[cmainas]

Hello @sidneychang ,

unfortunately, this is true, devmapper can be much slower compared to other snapshotters. However, the root cause might be the implementation of the snapshotter. Therefore, as mentioned in the Friday's sync, it would be helpful to also evaluate the blockfile snapshotter. Furthermore, despite the latency in concurrent execution, there still can be use cases where storing the boot files for the sandbox in urunc might cause harm in other ways (e.g. storage). We also need to check if the devmapper snapshotter could potentially help towards this direction (using less storage / memory).

In general, a block-based snapshotter is important for urunc sandboxes, because a lot of VMMs and software-based sandboxes might offer only block-based support for storage. Therefore, devmapper and similar snapshots help a lot on preparing the rootfs for such sandboxes.

[sidneychang]

Some observations on view, devmapper, and blockfile startup latency

In several rounds of testing, I noticed that startup latency can fluctuate quite a lot. For example, starting a single urunc container on devmapper sometimes took about 5 seconds, but on another day the same kind of run could drop to around 0.6 seconds. I suspect this may be related to the design or runtime state of devmapper itself, such as metadata state, cache state, device preparation, or whether some initialization path was effectively reused. In any case, I ran a set of experiments and found several interesting patterns. My overall takeaway is still: using view does not seem to help much with reducing startup latency. In this dataset, it generally adds overhead instead of reducing it.

For context: although devmapper and blockfile were tested with different images here, I also tested devmapper with both block and raw images, and the difference was small. So for the devmapper results below, I think the differences are mostly due to the implementation path rather than the image format itself.

Full data summary

I tested four configurations:

• devmapper, original implementation

• devmapper, with snapshot view

• blockfile, no-view

• blockfile, with snapshot view

The concurrency levels were 1, 10, 32, and 64. The table below summarizes the full statistics.

Configuration	Concurrency	Avg (s)	Min (s)	Max (s)	Stddev (s)
devmapper original	1	0.6628	0.6628	0.6628	0.0000
devmapper original	10	1.7104	1.0709	2.0166	0.3157
devmapper original	32	4.3700	2.3930	5.9973	0.9732
devmapper original	64	7.4371	2.7701	10.4343	1.7315
devmapper + view	1	0.7694	0.7694	0.7694	0.0000
devmapper + view	10	2.4569	2.1186	2.8414	0.2085
devmapper + view	32	6.6032	5.7286	7.6330	0.5345
devmapper + view	64	12.9197	10.6997	15.1199	0.8107
blockfile no-view	1	2.8293	2.8293	2.8293	0.0000
blockfile no-view	10	14.2522	3.1052	24.2788	7.4659
blockfile no-view	32	40.9451	3.3203	76.3530	22.1804
blockfile no-view	64	78.5843	3.3048	152.3767	44.7836
blockfile + view	1	2.8091	2.8091	2.8091	0.0000
blockfile + view	10	20.5956	10.5745	24.9275	5.0656
blockfile + view	32	45.7393	13.8223	76.0734	18.9432
blockfile + view	64	86.7734	12.5340	153.2913	43.6929

This makes one thing very clear: the disadvantage of blockfile grows as concurrency increases.

Raw timing data

I am also including the raw timing samples here for completeness.

Devmapper and no-View

Concurrency 1
0.6628

Concurrency 10
1.0709, 1.3500, 1.5362, 1.6140, 1.7670, 1.8301, 1.9639, 1.9738, 1.9814, 2.0166

Concurrency 32
2.3930, 2.6542, 2.6574, 2.7670, 2.9605, 3.3636, 3.5575, 3.7255, 3.8011, 3.8804, 4.0815, 4.1321, 4.2901, 4.4287, 4.4254, 4.4210, 4.6252, 4.6250, 4.6504, 4.6867, 4.9246, 4.9363, 5.0816, 5.0885, 5.1085, 5.1294, 5.2772, 5.2824, 5.4455, 5.6246, 5.8174, 5.9973

Concurrency 64
2.7701, 4.5399, 4.7248, 4.8749, 5.0216, 5.0842, 5.0728, 5.2251, 5.4171, 5.5718, 5.6370, 5.6393, 5.7806, 5.7849, 5.9254, 6.1339, 6.3559, 6.4928, 6.5081, 6.5614, 6.5567, 6.6351, 6.7030, 6.7752, 6.9231, 7.1336, 7.1446, 7.1357, 7.1534, 7.2977, 7.3375, 7.3851, 7.3970, 7.5273, 7.5483, 7.5850, 7.6290, 7.7287, 7.9482, 8.0302, 8.0462, 8.0679, 8.1471, 8.1746, 8.3648, 8.4431, 8.4655, 8.5913, 8.6074, 8.7862, 8.9875, 9.1598, 9.4432, 9.5231, 9.6505, 9.7177, 9.7644, 9.8202, 9.9882, 10.1671, 10.1993, 10.3592, 10.3698, 10.4343

Devmapper and use a shared View

Concurrency 1
0.7694

Concurrency 10
2.1186, 2.3058, 2.3246, 2.3466, 2.3768, 2.4333, 2.5755, 2.6090, 2.6372, 2.8414

Concurrency 32
5.7289, 5.7286, 5.8149, 6.0301, 6.0415, 6.0520, 6.0568, 6.1095, 6.1845, 6.1841, 6.1799, 6.2860, 6.3462, 6.4996, 6.5602, 6.5710, 6.6444, 6.7601, 6.7831, 6.8113, 6.8260, 6.8560, 6.9147, 6.9711, 7.0443, 7.1982, 7.2028, 7.2312, 7.2446, 7.3874, 7.4214, 7.6330

Concurrency 64
10.6997, 10.9039, 11.8133, 12.0998, 12.2745, 12.3020, 12.3212, 12.4462, 12.4751, 12.4979, 12.4890, 12.4923, 12.5055, 12.5458, 12.5875, 12.6142, 12.6149, 12.5991, 12.6052, 12.6180, 12.6263, 12.6172, 12.6258, 12.6284, 12.6282, 12.6370, 12.6202, 12.6262, 12.6396, 12.6284, 12.6219, 12.6247, 12.6383, 12.6318, 12.6324, 12.6388, 12.6613, 12.6698, 12.6727, 12.7091, 12.7566, 12.8544, 12.8862, 12.8994, 12.9759, 13.0184, 13.2214, 13.2467, 13.2813, 13.3032, 13.3918, 13.3900, 13.4350, 13.7252, 13.8153, 13.9175, 14.0878, 14.3330, 14.3349, 14.4974, 14.5386, 14.6449, 14.9029, 15.1199

blockfile and no View

Concurrency 1
2.8293

Concurrency 10
3.1052, 5.5674, 7.9705, 10.3697, 12.7532, 15.1741, 20.1096, 20.6956, 22.4978, 24.2788

Concurrency 32
3.3203, 7.4115, 8.1950, 10.4836, 15.4757, 15.8389, 18.0301, 20.3336, 22.7309, 25.2223, 27.5892, 29.8835, 34.5640, 35.2944, 37.1073, 39.3863, 42.0385, 46.4552, 47.5370, 50.1888, 51.3144, 55.7064, 56.0546, 58.6294, 60.8470, 62.6859, 65.8204, 68.2748, 70.1479, 72.3413, 74.9816, 76.3530

Concurrency 64
3.3048, 5.6381, 7.9732, 10.4862, 12.9163, 15.1246, 17.5128, 19.9351, 22.2346, 24.5225, 26.7343, 30.1488, 31.4135, 33.4584, 35.8712, 38.1004, 40.7972, 43.0258, 45.3449, 50.4551, 51.1847, 54.0341, 54.9797, 57.5968, 60.1320, 62.2911, 64.7874, 66.9418, 69.1502, 72.0469, 74.2890, 77.0926, 81.6011, 82.4126, 83.9984, 86.1275, 88.7347, 91.2607, 93.9695, 96.4191, 98.3960, 100.2426, 105.7345, 106.5355, 110.1670, 110.7324, 113.7679, 117.8232, 118.6740, 123.3320, 123.5920, 124.9864, 127.8304, 130.5702, 132.6665, 134.4144, 137.9454, 139.9549, 142.5985, 144.9472, 146.7368, 149.4373, 151.8834, 152.3767

blockfile and use a shared View

Concurrency 1
2.8091

Concurrency 10
10.5745, 15.4463, 16.4722, 18.5294, 21.8350, 24.2985, 24.4854, 24.6818, 24.7056, 24.9275

Concurrency 32
13.8223, 14.5868, 17.0446, 19.1483, 22.0457, 24.5364, 25.7591, 27.0690, 30.2287, 32.9242, 34.5675, 38.0236, 41.2834, 42.6369, 44.4846, 47.1391, 50.9122, 51.8467, 53.3780, 54.3230, 54.3776, 54.4034, 57.8684, 58.8422, 60.2175, 65.0495, 65.7195, 67.6173, 70.0243, 71.8504, 75.8557, 76.0734

Concurrency 64
12.5340, 15.3160, 16.5870, 20.0854, 21.5345, 24.2904, 25.6475, 27.6185, 31.1265, 33.8792, 36.0453, 39.4449, 41.8233, 42.7420, 45.8095, 49.1573, 50.1146, 52.8277, 54.6968, 57.3054, 59.1127, 62.2059, 64.1450, 66.1186, 68.2766, 71.5521, 73.9081, 76.5338, 78.0364, 81.2729, 83.6384, 86.2146, 88.5108, 92.2084, 93.0919, 95.7777, 98.0437, 99.7103, 102.1815, 105.1966, 107.5742, 109.4366, 112.2623, 114.5843, 116.8198, 120.6527, 121.4012, 123.7027, 126.1087, 128.4059, 131.1994, 132.5935, 134.2823, 138.1150, 139.2946, 142.8230, 145.4999, 147.7409, 152.1521, 152.2853, 152.7977, 153.0632, 153.0917, 153.2913

All of the above values come directly from my recorded runs.

What I found

1. devmapper is clearly better than blockfile

From the averages alone, devmapper is much faster than blockfile, and the gap gets larger as concurrency increases. That suggests the difference is not just a fixed cold-start cost. It looks more like a difference in scalability under concurrent startup.

2. I did not see evidence that view reduces startup latency

On devmapper, view is slower than the original implementation. On blockfile, view is also slower than no-view for most concurrency levels. So based on this dataset, I do not see evidence that view helps reduce startup latency. If anything, it introduces additional overhead.

3. On devmapper, view looks slower but more stable

With devmapper, the average gets worse with view, but the standard deviation becomes smaller. That suggests view may be introducing a more uniform path: not randomly hurting a few runs, but consistently adding work to most or all runs.

4. On blockfile, the backend already looks heavy, and view just makes it worse

Both blockfile variants show very large variance and very long tails at higher concurrency. At concurrency 64, both max values are around 150 seconds, and the standard deviations are above 40 seconds. So the main issue on blockfile appears to be the backend itself under concurrency, while view just adds more overhead on top.

5. In my implementation, the minimum time for the view case is close to the first container passing the shared-view critical path

Because my shared view is protected by a lock, the minimum completion time in the view case is likely close to the container that first acquires the lock, finishes shared view initialization, and then completes startup. From that perspective, on blockfile, view looks like it adds a front-loaded barrier, while on devmapper, the rise in the minimum time is more pronounced, which suggests that the shared view path is more directly exposed on the critical path there.

My current hypotheses

My current interpretation is:

• The main differences here are more likely caused by the snapshotter / runtime path than by image format.

• The large fluctuations I observed on devmapper may indeed be related to the design or runtime state of devmapper, such as metadata state, cache warmth, prepared device state, or whether some initialization path was effectively reused.

• In its current form, view seems to be adding complexity to the startup path rather than reducing the amount of work on the critical path.

• The main bottleneck for blockfile seems to be poor scalability under concurrency, not view alone. Even without view, it already shows severe queueing and long-tail behavior.

Conclusion

My current conclusion is fairly simple:

• devmapper performs much better than blockfile, especially as concurrency increases.

• I do not currently see view providing meaningful startup-latency reduction.

• The startup-time fluctuation I observed on devmapper may be related to devmapper design or runtime state, but I would need more stage-level timing to verify that.

• On blockfile, the major problem seems to be backend scalability and queueing under concurrency, and view mostly makes that worse rather than fixing it.

[sidneychang]

This is my script for the evalutaion:

#!/usr/bin/env bash
# Concurrently start containers and measure nerdctl run latency;
# ensure the image exists before starting; remove containers created by this script afterward.
# Each execution runs only one concurrency level:
# 1 (single container, for comparison with manual `time nerdctl run`),
# 10, 32, 64 (passed as the first argument).
# Default namespace is nerdctl's "default".
#
# Usage:
#   ./run_concurrent_start_bench.sh 1
#   ./run_concurrent_start_bench.sh 10
#   ./run_concurrent_start_bench.sh --blockfile 64
#   ./run_concurrent_start_bench.sh --devmapper 32
#   ./run_concurrent_start_bench.sh -s overlayfs 10
#
# Environment variables: NS, IMAGE, SNAPSHOTTER, RUNTIME, SKIP_RESET, RESET_SCRIPT, NAME_PREFIX
# (Command-line options override SNAPSHOTTER)
#
# Image & snapshotter notes:
# containerd shares image blobs, but unpacked writable rootfs snapshots
# (devmapper / blockfile / overlayfs) are separated per snapshotter.
# If only pulled under devmapper, switching to blockfile may require re-pull or first-run unpack.
set -euo pipefail

NS="${NS:-default}"
IMAGE="${IMAGE:-harbor.nbfc.io/nubificus/urunc/nginx-qemu-linux-raw:latest}"
SNAPSHOTTER="${SNAPSHOTTER:-devmapper}"
# If set to 1, always run nerdctl pull (ensure unpacked under current snapshotter)
FORCE_PULL="${FORCE_PULL:-0}"
RUNTIME="${RUNTIME:-io.containerd.urunc.v2}"
RESET_SCRIPT="${RESET_SCRIPT:-$(dirname "$0")/reset_urunc_bench_state.sh}"
# Container name prefix for identification and cleanup
NAME_PREFIX="${NAME_PREFIX:-urunc-concbench}"

SCRIPT_TAG="concbench-$$"

log() { printf '%s\n' "$*"; }

ensure_image() {
  local need_pull=0
  if [[ "${FORCE_PULL}" == "1" ]]; then
    need_pull=1
    log "[pull] FORCE_PULL=1, pulling image under snapshotter=$SNAPSHOTTER"
  elif ! sudo nerdctl -n "$NS" --snapshotter "$SNAPSHOTTER" image inspect "$IMAGE" >/dev/null 2>&1; then
    need_pull=1
    log "[pull] Image not found under snapshotter=$SNAPSHOTTER, pulling: $IMAGE"
  fi
  if [[ "${need_pull}" == "1" ]]; then
    sudo nerdctl -n "$NS" --snapshotter "$SNAPSHOTTER" pull "$IMAGE"
  else
    log "[pull] Inspect passed under snapshotter=$SNAPSHOTTER, skipping pull"
  fi
}

run_reset() {
  if [[ "${SKIP_RESET:-0}" == "1" ]]; then
    log "[reset] SKIP_RESET=1, skipping reset_urunc_bench_state"
    return 0
  fi
  log "[reset] Cleaning namespace runtime state..."
  NS="$NS" SNAPSHOTTER="$SNAPSHOTTER" "$RESET_SCRIPT"
}

stats_from_times_file() {
  local f=$1
  if [[ ! -s "$f" ]]; then
    log "  (no valid samples)"
    return 0
  fi
  awk '
    NF {
      v[++n] = $1 + 0
      sum += v[n]
      if (n == 1 || v[n] < min) min = v[n]
      if (n == 1 || v[n] > max) max = v[n]
    }
    END {
      if (n < 1) exit 0
      mean = sum / n
      for (i = 1; i <= n; i++) { ss += (v[i] - mean) ^ 2 }
      sd = (n > 1) ? sqrt(ss / (n - 1)) : 0
      printf "  Sample count: %d\n", n
      printf "  Latencies (s):"
      for (i = 1; i <= n; i++) printf " %.4f", v[i]
      printf "\n"
      printf "  Mean (s): %.4f\n", mean
      printf "  Min (s): %.4f  Max (s): %.4f\n", min, max
      printf "  Stddev (s): %.4f\n", sd
    }
  ' "$f"
}

run_batch() {
  local n=$1
  local work
  work="$(mktemp -d "${TMPDIR:-/tmp}/${SCRIPT_TAG}-batch${n}-XXXXXX")"
  log ""
  log "======== Concurrency: $n ========"

  local i pids=()
  for ((i = 1; i <= n; i++)); do
    (
      set +e
      local t0 t1 elapsed cid name rc
      name="${NAME_PREFIX}-${SCRIPT_TAG}-${n}-${i}"
      t0=$(date +%s.%N)
      cid=$(sudo nerdctl -n "$NS" --snapshotter "$SNAPSHOTTER" run -d \
        --name "$name" \
        --runtime "$RUNTIME" \
        "$IMAGE" 2>/dev/null | tail -1)
      rc=$?
      t1=$(date +%s.%N)
      elapsed=$(awk -v a="$t0" -v b="$t1" 'BEGIN { printf "%.6f", b - a }')
      if [[ $rc -eq 0 && -n "$cid" ]]; then
        printf '%s\n' "$elapsed" >>"$work/times.ok"
        printf '%s\n' "$cid" >>"$work/cids"
      else
        printf '%s nerdctl_rc=%s\n' "$elapsed" "$rc" >>"$work/failures.log"
      fi
    ) &
    pids+=($!)
  done

  for pid in "${pids[@]}"; do
    wait "$pid" || true
  done

  if [[ -f "$work/times.ok" ]]; then
    stats_from_times_file "$work/times.ok"
  fi
  if [[ -f "$work/failures.log" ]]; then
    log "  Failed or empty container ID records (elapsed, rc):"
    sed 's/^/    /' "$work/failures.log" || true
  fi

  if [[ -f "$work/cids" ]]; then
    cat "$work/cids" >>"$ALL_CIDS_FILE"
  fi
  rm -rf "$work"
}

cleanup_all() {
  local f=$1
  if [[ ! -f "$f" ]] || [[ ! -s "$f" ]]; then
    log "[cleanup] No container IDs found, skipping"
    return 0
  fi
  log "[cleanup] Stopping and removing containers..."
  sort -u "$f" -o "$f.uniq"
  while read -r id; do
    [[ -z "$id" ]] && continue
    sudo nerdctl -n "$NS" rm -f "$id" >/dev/null 2>&1 || true
  done <"$f.uniq"
  rm -f "$f.uniq"
  log "[cleanup] Done"
}

ALL_CIDS_FILE=""

print_help() {
  log "Usage: $0 [options] <1|10|32|64>"
  log ""
  log "Options:"
  log "  --blockfile, -B     Use blockfile snapshotter"
  log "  --devmapper, -D     Use devmapper snapshotter (default)"
  log "  --snapshotter, -s <name>  Specify snapshotter"
  log "  -h, --help          Show help"
  log ""
  log "Examples:"
  log "  $0 1"
  log "  $0 --blockfile 64"
  log "  SNAPSHOTTER=blockfile $0 10"
  log ""
  log "Env: FORCE_PULL=1 forces image pull"
}

usage() {
  print_help
  exit 1
}

usage_help() {
  print_help
  exit 0
}

main() {
  while [[ $# -gt 0 ]]; do
    case "$1" in
      --blockfile|-B)
        SNAPSHOTTER=blockfile
        shift
        ;;
      --devmapper|-D)
        SNAPSHOTTER=devmapper
        shift
        ;;
      --snapshotter|-s)
        SNAPSHOTTER=$2
        shift 2
        ;;
      -h|--help)
        usage_help
        ;;
      -*)
        log "Error: unknown option: $1"
        usage
        ;;
      *)
        break
        ;;
    esac
  done

  local concurrency="${1:-}"
  case "$concurrency" in
    1|10|32|64) ;;
    *)
      log "Error: concurrency must be 1, 10, 32, or 64"
      usage
      ;;
  esac

  log "== Concurrent startup benchmark =="
  log "NS=$NS IMAGE=$IMAGE SNAPSHOTTER=$SNAPSHOTTER RUNTIME=$RUNTIME"
  log "Concurrency: $concurrency NAME_PREFIX=$NAME_PREFIX"

  run_reset
  ensure_image

  ALL_CIDS_FILE="$(mktemp "${TMPDIR:-/tmp}/${SCRIPT_TAG}-all-cids.XXXXXX")"
  trap 'cleanup_all "$ALL_CIDS_FILE"; rm -f "$ALL_CIDS_FILE" 2>/dev/null || true' EXIT

  run_batch "$concurrency"

  log ""
  log "======== Finished, cleaning containers ========"
  cleanup_all "$ALL_CIDS_FILE"
  rm -f "$ALL_CIDS_FILE"
  ALL_CIDS_FILE=""
  trap - EXIT
}

main "$@"

[cmainas]

Thank you @sidneychang it would also be nice to have the code for the view snapshot. Preferably in a repository.

[cmainas]

Hello @sidneychang ,

here is a brief overview of the today's meeting (02/04/2026):

• The urunc images with "block" in their name have a block image inside the container's rootfs and urunc uses this block image as the rootfs of the sandbox. Therefore, there is no copy of boot files from urunc in these images.
• As your evaluation shows, the creation of view snapshots is slow and it seems they might harm the overall startup time in urunc.
• Please push somewhere your work (scripts, patches, etc.) so we can also look at it.
• Another exploration point is the base_image_size field in devmapper's configuration in containerd. Maybe this value affects the overhead of the creation of a view snapshot.
• Another evaluation that we need to perform is the storage / memory consumption of each approach. Measure the overhead in storage or memory that a view snapshot creates vs the current approach of copying the boot files (e.g. for 100 containers).
• Optionally, we can investigate more the internals of devmapper and other block-based snapshotters to identify what causes such overhead.
• Optionally, we can apply ideas from other snapshotters and create a specific snapshotter for urunc.

[sidneychang]

urunc view vs no-view Evaluation Update

At the moment, I have not cleaned up the benchmarking code yet. I plan to organize it and upload it to the repository later. For now, I would like to share some of the findings I observed, and I may adjust the test scripts based on the feedback here

---

What I tested

• Modes: with view vs no view
• Snapshotters: devmapper, blockfile
• Workload: sequential container startup, N=10,20,30,40,50

Metric scope

• mem_avail: system available memory (from /proc/meminfo)
• RSS(containerd+shim+qemu): sum RSS of key runtime processes
• snapshotter_root_bytes: du size of snapshotter plugin directory
• run_containerd_bytes: du size of /run/containerd (includes runtime bundle/monRootfs artifacts)
• batch_elapsed_sec: total cleanup time of one batch
• For mem_avail, absolute peak values across runs should be interpreted carefully because baselines differ; the more meaningful signal is the drop from baseline to the point after all N containers are started.

Sampling points

• Startup baseline point (internal tag: before_sequential_N)
• Point after all N containers are started (internal tag: after_start_N_of_N)
• Point after cleanup is completed (internal tag: after_cleanup_sequential_N)
• Main comparisons here are based on same N + same snapshotter pairs, with with_view - no_view.

---

What the data currently shows

devmapper

• Peak RSS(containerd+shim+qemu) is consistently higher with with_view.
• From the raw table, most RSS increase appears in shim_urunc_rss_sum_kb, while qemu_rss_sum_kb differences are relatively small. This looks more like shim/view lifecycle overhead than a larger guest footprint.
• mem_avail shows small positive shifts, but this should be read using baseline-to-post-start drop, not absolute peak-only comparison.
• Peak snapshotter_root is almost identical between modes.
• Cleanup is generally slower with with_view (except one small point).

blockfile

• mem_avail alternates in sign; no stable trend.
• Peak RSS is also higher with with_view.
• The RSS increase is also mostly on the shim side (shim_urunc_rss_sum_kb), with smaller changes in qemu_rss_sum_kb.
• snapshotter_root grows strongly with N, while mode differences are small.
• Cleanup is also slightly slower with with_view.

---

Quick takeaway

In this sequential startup test (N=10/20/30/40/50), what we see so far is: there are local optimization signals, but no stable net gain at system level yet.

• Some metrics show small positive signs.
• But at system level, RSS and cleanup time do not show a clear net benefit.
• Under blockfile, fixed block allocation is strong enough to hide local view-path improvements.

---

My current analysis

The optimization target of view is clear: avoid copying boot artifacts (unikernel/initrd/urunc.json) into monRootfs, and bind from snapshot view instead.
This is a valid optimization direction, but it only covers a narrow part of the startup path.

Based on current code-path notes and previous experiment logs, one working hypothesis is:

• The original path copies 3 files on tmpfs (unikernel/initrd/urunc.json).
• In the current test image, this is roughly ~7MB memory filesystem footprint per container.
• So view should reduce that part of copy pressure.
• But in current observations, view may introduce extra memory overhead (possibly from snapshotter client/view lifecycle management), and previous concurrent tests also suggested possible extra startup delay on devmapper.

In this run, total cost is likely dominated by:

• qemu/shim/container startup/runtime overhead
• snapshotter + mount/metadata management overhead
• cleanup/reclaim overhead
• strong fixed-allocation behavior in blockfile

---

Current experiment limitations

• with_view / no_view are not strict alternating A/B in the exact same run window; baseline drift exists.
• For mem_avail, absolute peak comparisons can be misleading under baseline drift; baseline-to-post-start drop is more reliable.
• snapshot_count has small fluctuations at some points.
• Cleanup sampling timing may include async reclaim noise.
• Blockfile cleanup behavior still needs finer validation.
• Storage interpretation differs by snapshotter backend.

---

mem_avail baseline-to-post-start drop

The table below shows before -> point after all N containers are started drop (GiB), which is more reliable than peak absolute-only comparison:

snapshotter	N	no_view drop	with_view drop	diff (with - no)
devmapper	10	1.663	1.651	-0.012
devmapper	20	2.365	2.347	-0.018
devmapper	30	3.218	3.351	+0.133
devmapper	40	4.617	4.535	-0.082
devmapper	50	5.823	5.503	-0.320
blockfile	10	0.954	0.950	-0.004
blockfile	20	2.089	1.998	-0.091
blockfile	30	3.202	2.984	-0.218
blockfile	40	4.209	3.974	-0.235
blockfile	50	5.375	5.101	-0.274

Using this view, with_view has a smaller drop in most points (except devmapper N=30), but the magnitude is modest and should be interpreted together with RSS and cleanup behavior.

---

Key raw data excerpts

1) Points after all N containers are started devmapper

mode	N	mem_avail_kb	containerd_main_rss_kb	shim_urunc_rss_sum_kb	qemu_rss_sum_kb	snapshotter_root_bytes	run_containerd_bytes	snapshot_count	running_containers
no_view	10	248314904	32508	53228	1024724	1179648	125957698	29	10
with_view	10	248478440	37868	143864	1022620	1179648	126100588	30	10
no_view	20	246843956	32508	118824	2069828	1179648	251906448	40	20
with_view	20	247027776	40620	288884	2065772	1179648	252192253	41	20
no_view	30	245839760	32508	164484	3097156	1179648	377861598	48	30
with_view	30	245956880	35684	410324	3081752	1179648	378290452	49	30
no_view	40	244673168	32508	233116	4114892	1179648	503823148	59	40
with_view	40	244732788	35832	547356	4115332	1179648	504394954	60	40
no_view	50	243444748	35268	283300	5160976	1179648	629791098	69	50
with_view	50	243586560	51908	691148	5173860	1179648	630505850	71	50

2) Points after all N containers are started blockfile

mode	N	mem_avail_kb	containerd_main_rss_kb	shim_urunc_rss_sum_kb	qemu_rss_sum_kb	snapshotter_root_bytes	run_containerd_bytes	snapshot_count	running_containers
no_view	10	248500376	32508	57876	1024656	15204614144	125957698	28	10
with_view	10	248340752	46996	146856	1026228	15204614144	126099043	29	10
no_view	20	247306408	32508	115700	2063624	20447494144	251906448	38	20
with_view	20	247258696	51788	276760	2059460	20447494144	252189173	39	20
no_view	30	246017552	32508	168880	3104948	25690374144	377861598	48	30
with_view	30	246077888	52752	408188	3102048	25690374144	378285703	49	30
no_view	40	245042532	35016	225292	4140136	30933254144	503823148	58	40
with_view	40	245035992	44232	553748	4134308	30933254144	504388633	59	40
no_view	50	243810548	39748	286236	5162880	36176134144	629791098	68	50
with_view	50	243843284	57308	683500	5158616	36176134144	630497963	69	50

3) Points after cleanup is completed devmapper

mode	N	batch_elapsed_sec	mem_avail_kb	snapshotter_root_bytes	run_containerd_bytes	snapshot_count	running_containers
no_view	10	11.930104	249229028	1179648	15348	18	0
with_view	10	11.910459	249370956	1179648	15348	18	0
no_view	20	24.590242	249013080	1179648	15348	18	0
with_view	20	25.210551	249217436	1179648	15348	18	0
no_view	30	38.386461	249256648	1179648	15348	18	0
with_view	30	39.363232	249156184	1179648	15348	18	0
no_view	40	53.939509	249309072	1179648	15348	18	0
with_view	40	54.497614	249130544	1179648	15348	18	0
no_view	50	69.225268	249261788	1179648	15348	18	0
with_view	50	70.900510	249115928	1179648	15348	18	0

4) Points after cleanup is completed blockfile

mode	N	batch_elapsed_sec	mem_avail_kb	snapshotter_root_bytes	run_containerd_bytes	snapshot_count	running_containers
no_view	10	32.722383	249421000	12058886144	15348	18	0
with_view	10	32.865807	249296476	12058886144	15348	18	0
no_view	20	65.979176	249346708	12058886144	15348	18	0
with_view	20	66.430903	249118792	12058886144	15348	18	0
no_view	30	101.300709	249364368	12583174144	15348	18	0
with_view	30	102.049901	249099836	12058886144	15348	18	0
no_view	40	136.507869	249376008	12058886144	15348	18	0
with_view	40	137.544523	249056540	11534598144	15348	18	0
no_view	50	172.589100	249345964	12058886144	15348	18	0
with_view	50	173.901752	249008724	12583174144	15348	18	0

Quick summary

• In this run, view does not show a stable net system-level gain.
• Peak RSS is higher with with_view in both snapshotters.
• devmapper shows small positive signals in mem_avail, but the magnitude is limited.
• Under blockfile, fixed allocation effects are very strong and can hide local view-path benefits.
• Cleanup is generally a bit slower with with_view.
• Based on code-path understanding, this currently looks like: one local copy-saving optimization offset by other overheads.

[sidneychang]

There is an issue with the previous interpretation of the storage results. The du usage under /run/containerd is not a meaningful indicator of devmapper snapshot storage, because it mainly reflects containerd runtime directories, such as bundles, logs, and the tmpfs-backed monRootfs. The actual storage consumed by devmapper snapshots is allocated in the thin-pool as data blocks and metadata blocks. Therefore, devmapper storage usage should be evaluated using thin-pool metrics (thin_data_used_bytes / thin_data_pct and thin_meta_used_bytes / thin_meta_pct), rather than by measuring the size of a runtime directory with du.

From the thin-pool perspective, with-view and no-view are almost identical in data usage. The differences in thin_data_used_bytes are only a few bytes to a few kilobytes and can be treated as negligible noise. with-view only shows a small reduction in thin metadata usage. Specifically, compared with no-view, with-view reduces thin metadata usage by 8,704 B at N=10, 14,336 B at N=20, 21,504 B at N=30, 24,064 B at N=40, and 29,184 B at N=50.

The detailed thin-pool comparison is as follows:

N	thin_data_used_bytes (no-view)	thin_data_used_bytes (with-view)	Δ data (B)	thin_data_pct (no-view)	thin_data_pct (with-view)	thin_meta_used_bytes (no-view)	thin_meta_used_bytes (with-view)	Δ meta (B)	thin_meta_pct (no-view)	thin_meta_pct (with-view)
10	2,342,400	2,341,888	-512	0.1745	0.1745	5,337,600	5,328,896	-8,704	0.6363	0.6353
20	2,408,960	2,408,448	-512	0.1795	0.1794	5,448,704	5,434,368	-14,336	0.6495	0.6478
30	2,471,424	2,469,888	-1,536	0.1841	0.1840	5,553,664	5,532,160	-21,504	0.6620	0.6595
40	2,532,864	2,532,352	-512	0.1887	0.1887	5,656,064	5,632,000	-24,064	0.6743	0.6714
50	2,594,304	2,593,792	-512	0.1933	0.1933	5,758,464	5,729,280	-29,184	0.6865	0.6830

These results indicate that with-view does not materially reduce the actual thin-pool data consumption of the devmapper snapshots. In other words, from the perspective of real devmapper backend storage, with-view and no-view are essentially the same, except for a small metadata reduction in with-view.

However, with-view does reduce tmpfs usage on the runtime path. In the original no-view path, files from the rootfs are moved into the tmpfs-backed monRootfs, which consumes tmpfs space under /run/containerd. By contrast, the with-view path uses bind-mounts to expose these files to monRootfs without copying them into tmpfs. Therefore, although with-view does not significantly reduce thin-pool usage, it does reduce tmpfs consumption in the runtime directory.

In summary, the benefit of with-view is mainly the elimination of extra tmpfs duplication in /run/containerd, rather than a meaningful reduction in devmapper thin-pool storage usage.

[sidneychang]

I investigated the memory delta between view and no-view in the busybox-linux-raw workload (100 containers), and I observed the following (from the after_start_100_of_100 samples):

• view

  • shim_urunc_rss_sum_kb: 1185.50 MiB
  • shim_urunc_pss_sum_kb: 464.99 MiB

• no-view (bak shim baseline)

  • shim_urunc_rss_sum_kb: 537.81 MiB
  • shim_urunc_pss_sum_kb: 360.86 MiB

• delta (view - no-view)

  • Shim RSS: +647.69 MiB
  • Shim PSS: +104.13 MiB

These numbers suggest the extra RSS growth is mainly tied to the shim path after introducing and executing the containerd-related stack (client/gRPC/service path). PSS grows less, so part of the RSS gap is shared-page accounting amplification, but there is still a real physical-memory increase.

[sidneychang]

Memory Growth Analysis: View vs No-View (100 Containers)

Based on the experimental data, I think PSS provides a more accurate estimate of the actual memory overhead, as it avoids double counting of shared pages across shim processes.
I compared view and no_view under the same workload (busybox-linux-raw) and plotted the memory deltas across container count N.

Figures

• Total delta:

• Per-container delta:

The second figure supports the idea that RSS is not a reliable metric for total memory usage in this setting, while PSS is more appropriate. At small N, the RSS delta per container starts from a much higher value and then drops noticeably as more containers are added, which suggests that part of the measured RSS comes from memory that is not truly private to each shim process and is only gradually amortized across processes. In other words, RSS reflects repeated accounting of pages that are shared across similar shim processes, so it overestimates the actual total memory cost. By contrast, PSS converges much faster to a lower and more stable value, because it proportionally distributes shared pages among the processes that map them. Therefore, the per-container plot supports using PSS rather than RSS to estimate the real system-wide memory overhead of these processes.

[cmainas]

Hello @sidneychang ,

the RSS and PPS values are process specific and not exactly what we are trying to evaluate. We need to evaluate the storage overhead of using view snapshots vs copying files (non-view snapshot). This overhead is not specific to a process, but to the system (storage).

[cmainas]

Hello @sidneychang ,

here is a brief overview of the yesterday's meeting (08/04/2026):

• The RSS and PSS metrics are process specific metrics about the memory consumption. While these metrics can get affected from the implementation (communication with containerd for view snapshots, urunc copying files), we need to focus on the storage consumption of each approach. Therefore, we need to use system metrics and not process ones.
• Our goal is to evaluate the storage overhead of each approach (view/non-view snapshot) and make sure that the view snapshot can reduce the storage overhead for similar container images. If we verify this, then we can provide a configuration option for urunc to either use a copy or a view snapshot depending on the system requirements.
• The current evaluation for the storage needs to get more specific for the containers we execute. Therefore, instead of measuring the whole /runc/containerd directory, we should focus on the monRootfs for each container.
• As you mentioned correctly, using du to measure each container's storage overhead (rootfs) will not be very reliable. The reason is that in the copy (non-view) approach urunc will copy the files to monRootfs, while in the view approach, urunc will bind mount them inside monRootfs, therefore du will show that the storage overhead is the same. Therefore, du is not the appropriate tool for our case.
• In urunc we use mount namespaces for the container. Therefore, when we measure the size from the host and not inside the container, we are inside the parent mount namespace and, due to a bug in urunc, the rootfs directory remains in the host mounted. However, inside the container's mount namespace the rootfs from the block-based snapshotter gets unmounted.
• We need to verify the data we retrieve from the dm and lv commands for the storage overhead of view and non-view snapshots. Based on how view snapshots are described, there should be no difference between the view and non-view approaches.
• Another approach to measure the storage overhead could be from inside urunc. In urunc, we create the monRootfs directory which is the rootfs directory for the host container (where the monitor will execute). So, using the urunc instance that sets up the monRootfs (which is inside the container's mount namespace) has a better view of the whole storage overhead inside the bundle (both rootfs and monRootfs). For this approach, there are two possible ways: 1) we do everything from the urunc, implementing the logic in Go, or 2) we spawn the container and while the container is spawned, we can enter the mount namespace of the urunc container and measure the storage overhead with shell tools. For the latter way, please take a look at https://urunc.io/developer-guide/debugging/

Also, please try to have a repository where you place all your code, so we can check it easier.

[sidneychang]

I’m currently in the process of cleaning up the related code implementation. The code still contains some noise, leftover comments, and extra log prints, which I will address later. My rough implementation is here: shared-view d68ab01#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6

Some scripts I used for testing (not yet fully organized) are here: d8a5215#diff-de5a0901e44e85d6676bd788da033bd68b0f0c09b6bcbd9346bbe908534fb39d

[sidneychang]

@cmainas Hello, I followed the second approach you suggested: instead of measuring from the host mount namespace, I first spawned the container, then entered the corresponding mount namespace and inspected the bundle from urunc’s view.

What I mainly want to confirm is whether the evidence below is sufficient to support the following claim:

In the view path, we are no longer copying kernel and urunc.json into tmpfs inside monRootfs; instead, we are reusing the existing shared view for these artifacts.

My current reading is the following.

What I checked

I used cntr attach <qemu-pid> to inspect the mount namespace from inside the urunc/QEMU view, and then compared df -h and mount between the non-view and view cases.

This seems important because, as you mentioned, measuring from the host namespace is not enough for this case, and the relevant state is the one visible inside the container’s mount namespace.

Current observations

1. Non-view case

Inside the namespace, I see:

• /var/lib/cntr/.boot mounted as tmpfs
• /var/lib/cntr/urunc.json also mounted as tmpfs

At the same time, QEMU is launched with:

• -kernel /.boot/kernel

(base) root@sev:~/zxd/urunc# cntr attach 1473384

(base) root@sev:/var/lib/cntr# mount
/dev/mapper/ubuntu--vg-ubuntu--lv on / type ext4 (rw,relatime,stripe=64)
...
tmpfs on /var/lib/cntr/.boot type tmpfs (rw,nosuid,nodev,noexec,relatime,size=26272656k,mode=755,inode64)
tmpfs on /var/lib/cntr/urunc.json type tmpfs (rw,nosuid,nodev,noexec,relatime,size=26272656k,mode=755,inode64)
tmpfs on /var/lib/cntr/tmp type tmpfs (rw,nosuid,noexec,size=65536k,inode64)
tmpfs on /var/lib/cntr/urunit.conf type tmpfs (rw,nosuid,nodev,noexec,relatime,size=26272656k,mode=755,inode64)

So my current interpretation is that, in the non-view path, kernel and urunc.json are materialized into tmpfs inside monRootfs, and QEMU is using the tmpfs-backed /.boot/kernel.

I also noticed that /run grows from about 2.7M before startup to about 5.4M after startup in this case, which is at least consistent with additional tmpfs materialization.

2. View case

In the view case, on the host side I see an extra shared-view mount:

• /run/urunc/shared-views/.../data

Then, inside the urunc/QEMU mount namespace, I see:

• /var/lib/cntr/.boot itself is still tmpfs
• /var/lib/cntr/.boot/kernel is mounted from the shared view snapshot
• /var/lib/cntr/urunc.json is also mounted from the shared view snapshot
• both are read-only mounts from the shared snapshot, not tmpfs files

QEMU is still launched with:

• -kernel /.boot/kernel

(base) root@sev:~/zxd/urunc# cntr attach 1493806

(base) root@sev:/var/lib/cntr# mount
/dev/mapper/ubuntu--vg-ubuntu--lv on / type ext4 (rw,relatime,stripe=64)
...
tmpfs on /var/lib/cntr/.boot type tmpfs (rw,nosuid,nodev,noexec,relatime,size=26272656k,mode=755,inode64)
/dev/mapper/containerd-pool-snap-7628 on /var/lib/cntr/.boot/kernel type ext2 (ro,noatime,stripe=16)
/dev/mapper/containerd-pool-snap-7628 on /var/lib/cntr/urunc.json type ext2 (ro,noatime,stripe=16)
tmpfs on /var/lib/cntr/tmp type tmpfs (rw,nosuid,noexec,size=65536k,inode64)
tmpfs on /var/lib/cntr/urunit.conf type tmpfs (rw,nosuid,nodev,noexec,relatime,size=26272656k,mode=755,inode64)

So my current interpretation is that, in the view path, we are no longer copying kernel and urunc.json into tmpfs per container. Instead, we appear to be reusing the already existing shared view and mounting those objects from there into monRootfs.

I also noticed that /run stays roughly at 2.6M -> 2.7M in this case.

Tentative conclusion

Based on these observations, my current understanding is:

1. du is indeed not a reliable tool for measuring per-container storage overhead in this case, for the reasons you explained.
2. Entering the mount namespace with cntr attach seems to expose the relevant monRootfs state.
3. The mount layout appears to show that, for kernel and urunc.json, the view path has replaced the original copy-to-tmpfs path.
4. More specifically, it looks like the tmpfs-side materialization present in the non-view path is avoided in the view path.

Question

Would you consider this evidence strong enough to support that claim?

More specifically, does the combination of:

• entering the urunc/QEMU mount namespace with cntr attach
• seeing .boot and urunc.json as tmpfs in the non-view case
• seeing .boot/kernel and urunc.json mounted from the shared view in the view case
• and seeing QEMU still use -kernel /.boot/kernel

justify saying that we have moved from “copy into tmpfs” to “reuse the existing shared view” for these artifacts?

If this interpretation is correct, the next things I plan to analyze are:

1. Verify the data we retrieve from the dm and lv commands for the storage overhead of view and non-view snapshots.
2. Analyze whether the memory reduced on the tmpfs side is offset again by increased shim memory due to the extra containerd client path.
3. Organize the measurement code and scripts this week so that I can share a cleaner and reproducible version.

Full raw commands and outputs

Non-view: raw commands and outputs

(base) root@sev:~/zxd/urunc# df -h
Filesystem                         Size  Used Avail Use% Mounted on
tmpfs                               26G  2.7M   26G   1% /run
efivarfs                           128K   23K  101K  19% /sys/firmware/efi/efivars
/dev/mapper/ubuntu--vg-ubuntu--lv  492G  260G  211G  56% /
tmpfs                              126G     0  126G   0% /dev/shm
tmpfs                              5.0M     0  5.0M   0% /run/lock
tmpfs                              4.0M     0  4.0M   0% /sys/fs/cgroup
tmpfs                              126G  220K  126G   1% /run/qemu
/dev/sda2                          2.0G  289M  1.6G  16% /boot
/dev/sda1                          1.1G  6.2M  1.1G   1% /boot/efi
tmpfs                               26G   44K   26G   1% /run/user/0

(base) root@sev:~/zxd/urunc# nerdctl ps -a
CONTAINER ID    IMAGE    COMMAND    CREATED    STATUS    PORTS    NAMES

(base) root@sev:~/zxd/urunc# nerdctl -n default --snapshotter devmapper run -d --name urunc-noview-check \
  --runtime io.containerd.urunc.v2 \
  harbor.nbfc.io/nubificus/urunc/nginx-qemu-linux-raw:latest

103f7c493efc574cc11985a51845cda405aa8448af5c5387150b715da32ad2d9

(base) root@sev:~/zxd/urunc# nerdctl ps
CONTAINER ID    IMAGE                                                         COMMAND                   CREATED           STATUS    PORTS    NAMES
103f7c493efc    harbor.nbfc.io/nubificus/urunc/nginx-qemu-linux-raw:latest    "/urunit /usr/sbin/n…"    41 seconds ago    Up                 urunc-noview-check

(base) root@sev:~/zxd/urunc# df -h
Filesystem                             Size  Used Avail Use% Mounted on
tmpfs                                   26G  5.4M   26G   1% /run
efivarfs                               128K   23K  101K  19% /sys/firmware/efi/efivars
/dev/mapper/ubuntu--vg-ubuntu--lv      492G  260G  211G  56% /
tmpfs                                  126G     0  126G   0% /dev/shm
tmpfs                                  5.0M     0  5.0M   0% /run/lock
tmpfs                                  4.0M     0  4.0M   0% /sys/fs/cgroup
tmpfs                                  126G  220K  126G   1% /run/qemu
/dev/sda2                              2.0G  289M  1.6G  16% /boot
/dev/sda1                              1.1G  6.2M  1.1G   1% /boot/efi
tmpfs                                   26G   44K   26G   1% /run/user/0
/dev/mapper/containerd-pool-snap-7625 1007M   50M  906M   6% /run/containerd/io.containerd.runtime.v2.task/default/103f7c493efc574cc11985a51845cda405aa8448af5c5387150b715da32ad2d9/rootfs

(base) root@sev:~/zxd/urunc# ps aux | grep urunc
root     1473339  0.0  0.0 1233708 4704 ?        Sl   21:39   0:00 /usr/local/bin/containerd-shim-urunc-v2 -namespace default -id 103f7c493efc574cc11985a51845cda405aa8448af5c5387150b715da32ad2d9 -address /run/containerd/containerd.sock -debug
root     1473384 99.3  0.0 907672 68608 ?        Ssl  21:39   0:58 /opt/urunc/bin/qemu-system-x86_64 -m 268M -L /usr/share/qemu -cpu host -enable-kvm -display none -vga none -serial stdio -monitor null -smp 1 --sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny -kernel /.boot/kernel -net nic,model=virtio,macaddr=1e:63:8a:f6:17:60 -net tap,script=no,downscript=no,ifname=tap0_urunc -device virtio-blk-pci,serial=rootfs,drive=rootfs -drive format=raw,if=none,id=rootfs,file=/dev/mapper/containerd-pool-snap-7625 -initrd /urunit.conf -no-reboot -nodefaults -append panic=-1 console=ttyS0 root=/dev/vda rw ip=10.4.0.198::10.4.0.1:255.255.255.0:urunc:eth0:off retain_initrd URUNIT_CONFIG=/sys/firmware/initrd init=/urunit -- /usr/sbin/nginx -g 'daemon off;error_log stderr debug;
root     1481730  0.0  0.0   6548  1544 pts/10   S+   21:40   0:00 grep --color=auto urunc

(base) root@sev:~/zxd/urunc# mount
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
udev on /dev type devtmpfs (rw,nosuid,relatime,size=131322468k,nr_inodes=32830617,mode=755,inode64)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /run type tmpfs (rw,nosuid,nodev,noexec,relatime,size=26272656k,mode=755,inode64)
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
/dev/mapper/ubuntu--vg-ubuntu--lv on / type ext4 (rw,relatime,stripe=64)
...
/dev/mapper/containerd-pool-snap-7625 on /run/containerd/io.containerd.runtime.v2.task/default/103f7c493efc574cc11985a51845cda405aa8448af5c5387150b715da32ad2d9/rootfs type ext2 (rw,relatime,stripe=16)

(base) root@sev:~/zxd/urunc# cntr attach 1473384

(base) root@sev:/var/lib/cntr# df -h
Filesystem                             Size  Used Avail Use% Mounted on
/dev/mapper/ubuntu--vg-ubuntu--lv      492G  260G  211G  56% /
tmpfs                                  126G     0  126G   0% /dev/shm
tmpfs                                   26G  5.4M   26G   1% /run
tmpfs                                  5.0M     0  5.0M   0% /run/lock
tmpfs                                  126G  220K  126G   1% /run/qemu
tmpfs                                   26G   44K   26G   1% /run/user/0
/dev/mapper/containerd-pool-snap-7625 1007M   50M  906M   6% /run/containerd/io.containerd.runtime.v2.task/default/103f7c493efc574cc11985a51845cda405aa8448af5c5387150b715da32ad2d9/rootfs
efivarfs                               128K   23K  101K  19% /sys/firmware/efi/efivars
tmpfs                                  4.0M     0  4.0M   0% /sys/fs/cgroup
/dev/sda2                              2.0G  289M  1.6G  16% /boot
/dev/sda1                              1.1G  6.2M  1.1G   1% /boot/efi
tmpfs                                  126G     0  126G   0% /var/lib/cntr
tmpfs                                   64M     0   64M   0% /var/lib/cntr/dev
tmpfs                                   64M     0   64M   0% /var/lib/cntr/tmp

(base) root@sev:/var/lib/cntr# mount
/dev/mapper/ubuntu--vg-ubuntu--lv on / type ext4 (rw,relatime,stripe=64)
...
tmpfs on /var/lib/cntr/.boot type tmpfs (rw,nosuid,nodev,noexec,relatime,size=26272656k,mode=755,inode64)
tmpfs on /var/lib/cntr/urunc.json type tmpfs (rw,nosuid,nodev,noexec,relatime,size=26272656k,mode=755,inode64)
tmpfs on /var/lib/cntr/tmp type tmpfs (rw,nosuid,noexec,size=65536k,inode64)
tmpfs on /var/lib/cntr/urunit.conf type tmpfs (rw,nosuid,nodev,noexec,relatime,size=26272656k,mode=755,inode64)

View: raw commands and outputs

(base) root@sev:~/zxd/urunc# df -h
Filesystem                         Size  Used Avail Use% Mounted on
tmpfs                               26G  2.6M   26G   1% /run
efivarfs                           128K   23K  101K  19% /sys/firmware/efi/efivars
/dev/mapper/ubuntu--vg-ubuntu--lv  492G  260G  211G  56% /
tmpfs                              126G     0  126G   0% /dev/shm
tmpfs                              5.0M     0  5.0M   0% /run/lock
tmpfs                              4.0M     0  4.0M   0% /sys/fs/cgroup
tmpfs                              126G  220K  126G   1% /run/qemu
/dev/sda2                          2.0G  289M  1.6G  16% /boot
/dev/sda1                          1.1G  6.2M  1.1G   1% /boot/efi
tmpfs                               26G   48K   26G   1% /run/user/0

(base) root@sev:~/zxd/urunc# nerdctl ps
CONTAINER ID    IMAGE    COMMAND    CREATED    STATUS    PORTS    NAMES

(base) root@sev:~/zxd/urunc# mount
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
...

(base) root@sev:~/zxd/urunc# nerdctl -n default --snapshotter devmapper run -d --name urunc-view-check \
  --runtime io.containerd.urunc.v2 \
  harbor.nbfc.io/nubificus/urunc/nginx-qemu-linux-raw:latest

4b67ced7d507e0e7debcb787bc101e48b1f4749edb8ea3af7461158bd8172254

(base) root@sev:~/zxd/urunc# df -h
Filesystem                             Size  Used Avail Use% Mounted on
tmpfs                                   26G  2.7M   26G   1% /run
efivarfs                               128K   23K  101K  19% /sys/firmware/efi/efivars
/dev/mapper/ubuntu--vg-ubuntu--lv      492G  260G  211G  56% /
tmpfs                                  126G     0  126G   0% /dev/shm
tmpfs                                  5.0M     0  5.0M   0% /run/lock
tmpfs                                  4.0M     0  4.0M   0% /sys/fs/cgroup
tmpfs                                  126G  220K  126G   1% /run/qemu
/dev/sda2                              2.0G  289M  1.6G  16% /boot
/dev/sda1                              1.1G  6.2M  1.1G   1% /boot/efi
tmpfs                                   26G   48K   26G   1% /run/user/0
/dev/mapper/containerd-pool-snap-7628 1007M   53M  903M   6% /run/urunc/shared-views/devmapper_default_sha256:69bd1c06dccfa3cf9ab836e1e11911873c36d453403dc97d34572b50365b6dc1/data
/dev/mapper/containerd-pool-snap-7627 1007M   53M  903M   6% /run/containerd/io.containerd.runtime.v2.task/default/4b67ced7d507e0e7debcb787bc101e48b1f4749edb8ea3af7461158bd8172254/rootfs

(base) root@sev:~/zxd/urunc# mount
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
...
/dev/mapper/containerd-pool-snap-7628 on /run/urunc/shared-views/devmapper_default_sha256:69bd1c06dccfa3cf9ab836e1e11911873c36d453403dc97d34572b50365b6dc1/data type ext2 (ro,noatime,stripe=16)
/dev/mapper/containerd-pool-snap-7627 on /run/containerd/io.containerd.runtime.v2.task/default/4b67ced7d507e0e7debcb787bc101e48b1f4749edb8ea3af7461158bd8172254/rootfs type ext2 (rw,relatime,stripe=16)

(base) root@sev:~/zxd/urunc# ps aux | grep urunc
root     1493736  0.0  0.0 1240692 12576 ?       Sl   21:47   0:00 /usr/local/bin/containerd-shim-urunc-v2 -namespace default -id 4b67ced7d507e0e7debcb787bc101e48b1f4749edb8ea3af7461158bd8172254 -address /run/containerd/containerd.sock -debug
root     1493806 98.5  0.0 915868 67696 ?        Ssl  21:47   0:24 /opt/urunc/bin/qemu-system-x86_64 -m 268M -L /usr/share/qemu -cpu host -enable-kvm -display none -vga none -serial stdio -monitor null -smp 1 --sandbox on,obsolete=deny,elevateprivileges=deny,spawn=deny,resourcecontrol=deny -kernel /.boot/kernel -net nic,model=virtio,macaddr=8e:1f:91:1a:ae:2e -net tap,script=no,downscript=no,ifname=tap0_urunc -device virtio-blk-pci,serial=rootfs,drive=rootfs -drive format=raw,if=none,id=rootfs,file=/dev/mapper/containerd-pool-snap-7627 -initrd /urunit.conf -no-reboot -nodefaults -append panic=-1 console=ttyS0 root=/dev/vda rw ip=10.4.0.199::10.4.0.1:255.255.255.0:urunc:eth0:off retain_initrd URUNIT_CONFIG=/sys/firmware/initrd init=/urunit -- /usr/sbin/nginx -g 'daemon off;error_log stderr debug;
root     1494961  0.0  0.0   6548  1556 pts/10   S+   21:47   0:00 grep --color=auto urunc

(base) root@sev:~/zxd/urunc# cntr attach 1493806

(base) root@sev:/var/lib/cntr# df -h
Filesystem                             Size  Used Avail Use% Mounted on
/dev/mapper/ubuntu--vg-ubuntu--lv      492G  260G  211G  56% /
tmpfs                                  126G     0  126G   0% /dev/shm
tmpfs                                   26G  2.7M   26G   1% /run
tmpfs                                  5.0M     0  5.0M   0% /run/lock
tmpfs                                  126G  220K  126G   1% /run/qemu
tmpfs                                   26G   48K   26G   1% /run/user/0
/dev/mapper/containerd-pool-snap-7628 1007M   53M  903M   6% /run/urunc/shared-views/devmapper_default_sha256:69bd1c06dccfa3cf9ab836e1e11911873c36d453403dc97d34572b50365b6dc1/data
/dev/mapper/containerd-pool-snap-7627 1007M   53M  903M   6% /run/containerd/io.containerd.runtime.v2.task/default/4b67ced7d507e0e7debcb787bc101e48b1f4749edb8ea3af7461158bd8172254/rootfs
efivarfs                               128K   23K  101K  19% /sys/firmware/efi/efivars
tmpfs                                  4.0M     0  4.0M   0% /sys/fs/cgroup
/dev/sda2                              2.0G  289M  1.6G  16% /boot
/dev/sda1                              1.1G  6.2M  1.1G   1% /boot/efi
tmpfs                                  126G     0  126G   0% /var/lib/cntr
tmpfs                                   64M     0   64M   0% /var/lib/cntr/dev
tmpfs                                   64M     0   64M   0% /var/lib/cntr/tmp

(base) root@sev:/var/lib/cntr# mount
/dev/mapper/ubuntu--vg-ubuntu--lv on / type ext4 (rw,relatime,stripe=64)
...
tmpfs on /var/lib/cntr/.boot type tmpfs (rw,nosuid,nodev,noexec,relatime,size=26272656k,mode=755,inode64)
/dev/mapper/containerd-pool-snap-7628 on /var/lib/cntr/.boot/kernel type ext2 (ro,noatime,stripe=16)
/dev/mapper/containerd-pool-snap-7628 on /var/lib/cntr/urunc.json type ext2 (ro,noatime,stripe=16)
tmpfs on /var/lib/cntr/tmp type tmpfs (rw,nosuid,noexec,size=65536k,inode64)
tmpfs on /var/lib/cntr/urunit.conf type tmpfs (rw,nosuid,nodev,noexec,relatime,size=26272656k,mode=755,inode64)

[cmainas]

Hello @sidneychang ,

I am surprised that cntr worked without any issues. However, I noticed something that we need to be aware of. Cntr makes use of FUSE to create the view that we see in /valr/lib/cntr. These mounts do not reflect the original mounts in the host container. You can easily verify that adding debug logs in urunc reexec. In cntr, every file in the monRootfs appears as a tmpfs mount, but this is how cntr makes it look, not how it looks inside the container. As an exmaple take urunit.conf, this is a file that urunc reexec creates and simply writes in the monRootfs, it is not mounted, it is just a simple file.

I also noticed that /run grows from about 2.7M before startup to about 5.4M after startup in this case, which is at least consistent with additional tmpfs materialization.

Does this refer to the measurement form inside cntr, or from the host?

Question

Would you consider this evidence strong enough to support that claim?

We will need to be more careful with cntr and not focus on the results of df and mount. Your observation about the growing size of /run might be the key, but we need to pin point that difference and make sure it is from the use of view snapshots, rather than anything else. To do that, it will be helpful if you answer my above question "where was this measurement taken".

More specifically, does the combination of:

* entering the urunc/QEMU mount namespace with `cntr attach`

* seeing `.boot` and `urunc.json` as `tmpfs` in the non-view case

* seeing `.boot/kernel` and `urunc.json` mounted from the shared view in the view case

* and seeing QEMU still use `-kernel /.boot/kernel`

justify saying that we have moved from “copy into tmpfs” to “reuse the existing shared view” for these artifacts?

I would say that this is the case. If I understand correctly, cntr bind mounts in /var/lib/cntr all bind mounts of monRootfs. If this is the case then the mount command you executed will show even more mounts (e.g. qemu binaries, libraries, etc.). COuld you paste the whole mount output?

[sidneychang]

Hi @cmainas

Does this refer to the measurement form inside cntr, or from the host?

I observed the same results both inside the container and on the host.

I would say that this is the case. If I understand correctly, cntr bind mounts in /var/lib/cntr all bind mounts of monRootfs. If this is the case then the mount command you executed will show even more mounts (e.g. qemu binaries, libraries, etc.). COuld you paste the whole mount output?

Here is the full output I captured before and after container startup.
With View
with_view.txt
No View
no_view.txt

[cmainas]

Hello @sidneychang ,

here is a brief overview of the last week's meeting (15/04/2026):
-The observation that the size of /run has been increased with the non-view approach (copying boot files), in contrast to the new approach (view snapshot) is very interesting and a good finding in our assumption that the view snapshots will decrease the memory.

• We still need to pin point the root cause of this increase. We just need to verify that indeed the file copies are responsible for increasing the size we observer.
• Your current approach of having a view mount and bind mounting the boot files inside the monitor's rootfs definitely removes the copy operations we are performing in the non-view approach. However, we need to check that the storage is getting increased, looking in various affected parts of the system (e.g. snapshotter, /run).
• The evaluation you have shared in the past about the devmapper snapshotter is in the right direction. However, the table needs to get updated with the new results and the table needs some more explanation. It is not very clear what some fields represent.
• The process memory is a different metric which is not that significant for the time being and not relevant to the evaluation and optimization we want to perform.

So, as next steps:

• We need to pin point that the memory increase of /run comes indeed from the copy operations of urunc
• We need to ensure that the view snapshot will add negligible storage overhead, looking in both the metadata and the system that implements the view snapshot (e.g. metrics for devmapper etc.)
• We will slowly work on integrating this work in urunc.

[sidneychang]

Thanks for the feedback from the 15/04/2026 meeting.I ran another round of view vs no-view comparison with 50 urunc containers, using the following sampling points:

• baseline sample point: right before sequential startup begins
• stable sample point: after all 50 containers are up and then settled for 60 seconds

Environment and run model

• Host: Linux 6.11.0
• Stack: containerd + urunc (RUNTIME=io.containerd.urunc.v2)
• Snapshotter: devmapper
• Image: harbor.nbfc.io/nubificus/urunc/busybox-qemu-linux-raw:latest
• Run model: single-round sequential comparison (view then no-view)

How each metric is collected, and why use it

• run_tmpfs_used_bytes: direct filesystem used-bytes on /run from df -B1 (used column).
  Why: /run is tmpfs in this setup; copy payload written into runtime bundles is reflected here.

• mem_shmem_kb: Shmem from /proc/meminfo.
  Why: cross-check for tmpfs/shmem pressure at system level; it should move with /run when tmpfs-backed copy grows. Linux tmpfs documentation states that tmpfs pages are shown as Shmem in /proc/meminfo, while also noting that this counter can include other shared memory users as well. Therefore, I use Shmem as a cross-check rather than as the only source of truth.
  Reference: Linux tmpfs documentation: https://www.kernel.org/doc/html/latest/filesystems/tmpfs.html

• thin_data_used_blocks, thin_meta_used_blocks: used dm-thin blocks from dmsetup status for the active thin-pool used by the containerd devmapper snapshotter.
  Why: this is the backend allocation signal for the devmapper snapshotter thin-pool. containerd documents that snapshotters manage snapshots of container filesystems, and the devmapper snapshotter stores snapshots in filesystem images in a Device-mapper thin-pool. Linux dm-thin documentation defines the thin-pool status fields as pool-level used metadata blocks and used data blocks. This is the level we want for observing backend allocation changes inside the devmapper snapshotter thin-pool.
  References:

  • containerd snapshotters documentation: https://github.com/containerd/containerd/blob/main/docs/snapshotters/README.md
  • containerd devmapper snapshotter documentation: https://containerd.io/docs/1.7/snapshotters/devmapper/
  • Linux dm-thin documentation: https://docs.kernel.org/admin-guide/device-mapper/thin-provisioning.html

• thin_data_used_bytes = thin_data_used_blocks * data_block_bytes, thin_meta_used_bytes = thin_meta_used_blocks * meta_block_bytes, with block sizes read via dmsetup table/status (data_block_bytes=65536, meta_block_bytes=4096 in this run).
  Why: byte-level comparison is easier to interpret than blocks while keeping dm-thin semantics. In this context, these byte values should be interpreted as devmapper thin-pool backend allocation, not as the complete storage footprint of all containers.

• sample_monrootfs_du_x_bytes: run du -sx on one container’s monRootfs (-x means same filesystem only).
  Why: detects whether there is real payload materialized inside tmpfs-backed monRootfs through the copy path, without counting bind-mounted data from other filesystems.

Scope note for the dm-thin metrics

The thin_* metrics do not represent the complete storage footprint of all containers. They represent backend allocation inside the devmapper thin-pool used by the snapshotter.

Other storage areas may include the containerd content store, containerd metadata, snapshotter metadata, runtime state under /run/containerd, urunc/shim/monitor runtime bundles, tmpfs-backed monRootfs payloads, pid/socket files, and logs. containerd also separates the persistent root directory, whose default is /var/lib/containerd, from the runtime state directory, whose default is /run/containerd.

Reference: containerd config documentation: https://containerd.io/docs/1.7/man/containerd-config.toml.5/

Therefore, the conclusion supported by thin_* is narrower:

The view path does not introduce observable additional devmapper snapshotter backend storage allocation, while it avoids the tmpfs copy payload that appears in the no-view path.

Meaningful raw excerpts (stable - before in the same run)

Column meanings:

• view-before / no-view-before: baseline value measured right before sequential startup
• view-stable / no-view-stable: stable value measured after all 50 containers are up and settled for 60 seconds
• view-delta / no-view-delta: computed as stable - before for the same mode

Metric	view-before	view-stable	view-delta	no-view-before	no-view-stable	no-view-delta
thin_data_used_bytes	114,622,464	167,051,264	+52,428,800	114,622,464	167,051,264	+52,428,800
thin_meta_used_bytes	18,104,320	18,718,720	+614,400	18,104,320	18,718,720	+614,400
thin_data_used_blocks	1,749	2,549	+800	1,749	2,549	+800
thin_meta_used_blocks	4,420	4,570	+150	4,420	4,570	+150
run_tmpfs_used_bytes	2,744,320	6,025,216	+3,280,896	2,744,320	370,769,920	+368,025,600
mem_shmem_kb	11,964	15,172	+3,208	11,968	371,368	+359,400

Additional raw excerpt during start progression (after_start_i_of_50):

• At i=10: view run_tmpfs_used_mib=3.2461, no-view 72.8125 (gap 69.5664)
• At i=20: view 3.8711, no-view 143.0078 (gap 139.1367)
• At i=30: view 4.4961, no-view 213.2031 (gap 208.7070)
• At i=40: view 5.1211, no-view 283.3984 (gap 278.2773)
• At i=50: view 5.7461, no-view 353.5938 (gap 347.8477)

sample_monrootfs_du_x_bytes excerpt:

• view path: ~4096 bytes
• no-view path: ~7,311,360 bytes

Interpretation

• /run and Shmem diverge strongly only in no-view, matching the copy-path hypothesis.
• dm-thin counters (thin_* blocks/bytes) are identical between view and no-view. Since these counters reflect backend allocation inside the devmapper snapshotter thin-pool, I do not observe additional devmapper snapshotter backend storage allocation from the view path in this controlled run.
• The du -sx split (4096 vs 7,311,360) matches bind-mount vs copy behavior in implementation.