Skip to content

verity volumes: pre-load docker images and data into CVMs#752

Open
h4x3rotab wants to merge 4 commits into
masterfrom
verity-volumes
Open

verity volumes: pre-load docker images and data into CVMs#752
h4x3rotab wants to merge 4 commits into
masterfrom
verity-volumes

Conversation

@h4x3rotab

@h4x3rotab h4x3rotab commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

What this does

Starting a CVM is slow mostly because of image extraction — decompressing layers and writing millions of files to the encrypted disk (~30 s for a 3 GB image, a couple of minutes for 7 GB). A verity volume skips that: a read-only, dm-verity-protected disk, built once, whose layers are already extracted. The CVM mounts it and verifies blocks lazily as the app reads them — no pull, no unpacking — and one volume can back many CVMs.

How it fits together

  • dstack verity <image>… builds the volume. It fetches the images itself (via oci-client, no docker daemon) and lays out docker's overlay2 store deterministically, then seals it with squashfs + dm-verity. The same inputs give the same verity_root, byte for byte, so anyone can recompute it from the pinned digests and confirm what's inside. --dir packs a plain directory (e.g. model weights) instead.
  • The guest seeds the volume into docker before dockerd starts, matching each attached disk to the verity_root declared in app-compose.json. It's fail-safe — a missing or mismatched volume falls back to a normal pull.
  • The vmm attaches volumes read-only by name (dstack deploy --volume), resolved under volumes_dir.

Why it's safe

verity_root lives in app-compose.json, so it's measured into app_id. The guest trusts the root, not the host or the builder, and dm-verity rejects anything that doesn't match. The build needs no TEE, so it can run in CI and be attested with SLSA provenance on top.

Design and trade-offs are in docs/verity-volumes.md. Validated end to end on Intel TDX — first boot, reboot of the same instance, two volumes in one CVM — and reproducible across independent builds.

🤖 Generated with Claude Code

@h4x3rotab h4x3rotab changed the title verity volumes: reproducible dm-verity image/data pre-seeding for CVMs verity volumes: pre-load docker images and data into CVMs Jul 4, 2026
@h4x3rotab h4x3rotab force-pushed the verity-volumes branch 10 times, most recently from 61dd38d to abaaa84 Compare July 4, 2026 08:51
h4x3rotab and others added 2 commits July 4, 2026 23:04
Add read-only verity volumes -- extra virtio-blk disks a CVM can mount
instead of pulling and unpacking their contents. A volume is declared in
app-compose.json as `{ verity_root, target }`, and attached at deploy time
with `--volume <name>`: the vmm looks the name up under cvm.volumes_dir and
attaches it read-only. Because verity_root is part of the measured compose,
the guest can check the bytes it's handed against it.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Just before dockerd starts, dstack-prepare.sh runs the seeding helper. For
each volume declared in the compose it finds the matching disk by opening it
with veritysetup against the measured verity_root, then either seeds docker's
overlay2 store (target "docker") so the images are already present, or mounts
the volume at a path (a data volume). It's fail-safe throughout: a volume
that's missing or doesn't verify is skipped, and its images just pull.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
h4x3rotab and others added 2 commits July 4, 2026 23:16
`dstack verity <image>...` builds a squashfs + dm-verity volume that
pre-extracts docker images (or, with `--dir`, a plain directory) so a CVM can
start without pulling or unpacking them. It fetches images itself through
oci-client -- no docker daemon -- and lays out the overlay2 store
deterministically (each layer's directory id is its chain-id, with a fixed
timestamp and salt). The same inputs always produce the same verity_root, so
anyone can recompute it from the pinned image digests and confirm what's in
the volume without trusting the builder. `dstack deploy --volume` attaches
the result.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant