snapshot: fix proxy mode mounting for snapshots without nydus-proxy mode label#708
Draft
fidencio wants to merge 1 commit intocontainerd:mainfrom
Conversation
Contributor
Author
|
This has been tested together with containerd/containerd#12835 |
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #708 +/- ##
==========================================
- Coverage 21.26% 21.20% -0.07%
==========================================
Files 126 126
Lines 11445 11481 +36
==========================================
Hits 2434 2434
- Misses 8682 8718 +36
Partials 329 329
🚀 New features to boost your workflow:
|
Contributor
Author
|
cc @imeoer |
BraveY
reviewed
Feb 2, 2026
snapshot/snapshot.go
Outdated
| if mountLabels == nil { | ||
| mountLabels = make(map[string]string) | ||
| } | ||
| if _, ok := mountLabels[label.CRIImageRef]; !ok && info.Parent != "" { |
Contributor
There was a problem hiding this comment.
The code for walking the parent chain to find CRIImageRef is duplicated in three places (lines ~456, ~500, and ~528).
Could we refactor this into a helper function?
Others LGTM. Thanks for the PR.
fidencio
force-pushed
the
topic/snapshot-fix-proxy-mode-mounting-for-snapshots-without-nydus-proxy-mode-label
branch
from
b033fb3 to
d96423f
Compare
imeoer
reviewed
Feb 2, 2026
snapshot/snapshot.go
Outdated
| // Handle the case where the snapshotter is in proxy mode and the snapshot has | ||
| // CRIImageRef label but not nydus-proxy-mode label. This can happen when: | ||
| // 1. The image was unpacked before the containerd fix that adds proper labels | ||
| // 2. The labels were updated after the initial unpack via containerd's fixSnapshotLabels |
Collaborator
There was a problem hiding this comment.
Hi @fidencio , thanks for the PR, can we explain what's fixSnapshotLabels here? others LGTM!
Contributor
Author
There was a problem hiding this comment.
Sure, I will do the addition later Today. Thanks @imeoer!
Contributor
Author
There was a problem hiding this comment.
Fixed, and moved the PR to "Draft" till the work on containerd side gets merged.
…ode label
When containerd unpacks an image for a remote snapshotter like nydus
in proxy mode, it passes the CRIImageRef label via snapshots.WithLabels
during the Prepare/Unpack flow. This label contains the image reference
needed by nydus to construct the kata virtual volume metadata.
The mountProxy() function was being called without passing the available
labels, creating a rafs.Rafs{} with an empty Annotations map. This caused
nydus to fall back to using "dummy-image-reference" as the source,
breaking guest-side image pulling. The fix passes the labels through to
mountProxy() so CRIImageRef is available when constructing the kata
virtual volume.
Additionally, snapshots may have CRIImageRef but lack the
nydus-proxy-mode label. This happens when an image was unpacked before
containerd properly set all labels, or when labels were updated as
containerd detected that existing snapshots had incorrect labels (for
instance, a digest instead of a pullable image reference) and updated
then to contain the correct CRIImageRef valye beeded for guest-side
pulling after the initial unpack.
In the cases mentioned above the code would incorrectly call
mountNative() instead of mountProxy(), causing mount failures because
proxy mode directories don't contain actual content (content is pulled
inside the guest). The fix adds a fallback check before mountNative: if
we're in proxy driver mode and the snapshot or its parent chain has
CRIImageRef, use mountProxy instead.
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
fidencio
force-pushed
the
topic/snapshot-fix-proxy-mode-mounting-for-snapshots-without-nydus-proxy-mode-label
branch
from
d96423f to
c491a4e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Overview
When containerd unpacks an image for a remote snapshotter like nydus in proxy mode, it passes the CRIImageRef label via snapshots.WithLabels during the Prepare/Unpack flow. This label contains the image reference needed by nydus to construct the kata virtual volume metadata.
The mountProxy() function was being called without passing the available labels, creating a rafs.Rafs{} with an empty Annotations map. This caused nydus to fall back to using "dummy-image-reference" as the source, breaking guest-side image pulling. The fix passes the labels through to mountProxy() so CRIImageRef is available when constructing the kata virtual volume.
Additionally, snapshots may have CRIImageRef but lack the nydus-proxy-mode label. This happens when an image was unpacked before containerd properly set all labels, or when labels were updated via containerd's fixSnapshotLabels after the initial unpack. In these cases the code would incorrectly call mountNative() instead of mountProxy(), causing mount failures because proxy mode directories don't contain actual content (content is pulled inside the guest). The fix adds a fallback check before mountNative: if we're in proxy driver mode and the snapshot or its parent chain has CRIImageRef, use mountProxy instead.
Change Type
Please select the type of change your pull request relates to: