containers/composefs containers/composefs

  • Stars
    star
    441
  • Rank 98,861 (Top 2 %)
  • Language
    C
  • License
    Other
  • Created about 3 years ago
  • Updated about 1 month ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
containers/composefs
github

containers

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

a file system for mounting container images

composefs

The composefs project combines several underlying Linux features to provide a very flexible mechanism to support read-only mountable filesystem trees, stacking on top of an underlying "lower" Linux filesystem.

The key technologies composefs uses are:

  • overlayfs as the kernel interface
  • EROFS for a mountable metadata tree
  • fs-verity (optional) from the lower filesystem

The manner in which these technologies are combined is important. First, to emphasize: composefs does not store any persistent data itself. The underlying metadata and data files must be stored in a valid "lower" Linux filesystem. Usually on most systems, this will be a traditional writable persistent Linux filesystem such as ext4, xfs,, btrfs etc.

Separation between metadata and data

A key aspect of the way composefs works is that it's designed to store "data" (i.e. non-empty regular files) distinct from "metadata" (i.e. everything else).

composefs reads and writes a filesystem image which is really just an EROFS which today is loopback mounted.

However, this EROFS filesystem tree is just metadata; the underlying non-empty data files can be shared in a distinct "backing store" directory. The EROFS filesystem includes trusted.overlay.redirect extended attributes which tell the overlayfs mount how to find the real underlying files.

Mounting multiple composefs with a shared backing store

The key targeted use case for composefs is versioned, immutable executable filesystem trees (i.e. container images and bootable host systems), where some of these filesystems may share parts of their storage (i.e. some files may be different, but not all).

Composefs ships with a mount helper that allows you to easily mount images by pass the image filename and the base directory for the content files like this:

# mount -t composefs /path/to/image  -o basedir=/path/to/content /mnt

By storing the files content-addressed (e.g. using the hash of the content to name the file) shared files need only be stored once, yet can appear in multiple mounts.

Backing store shared on disk and in page cache

A crucial advantage of composefs in contrast to other approaches is that data files are shared in the page cache.

This allows launching multiple container images that will reliably share memory.

Filesystem integrity

Composefs also supports fs-verity validation of the content files. When using this, the digest of the content files is stored in the image, and composefs will validate that the content file it uses has a matching enabled fs-verity digest. This means that the backing content cannot be changed in any way (by mistake or by malice) without this being detected when the file is used.

You can also use fs-verity on the image file itself, and pass the expected fs-verity digest as a mount option, which composefs will validate. In this case we have full trust of both data and metadata of the mounted file. This solves a weakness that fs-verity has when used on on its own, in that it can only verify file data, not metadata.

Usecase: container images

There are multiple container image systems; for those using e.g. OCI a common approach (implemented by both docker and podman for example) is to just untar each layer by itself, and then use overlayfs to stitch them together at runtime. This is a partial inspiration for composefs; notably this approach does ensure that identical layers are shared.

However if instead we store the file content in a content-addressed fashion, and then we can generate a composefs file for each layer, continuing to mount them with a chain of overlayfs or we can generate a single composefs for the final merged filesystem tree.

This allows sharing of content files between images, even if the metadata (like the timestamps or file ownership) vary between images.

Together with something like zstd:chunked this will speed up pulling container images and make them available for usage, without the need to even create these files if already present!

Usecase: Bootable host systems (e.g. OSTree)

OSTree already uses a content-addressed object store. However, normally this has to be checked out into a regular directory (using hardlinks into the object store for regular files). This directory is then bind-mounted as the rootfs when the system boots.

OSTree already supports enabling fs-verity on the files in the store, but nothing can protect against changes to the checkout directories. A malicious user can add, remove or replace files there. We want to use composefs to avoid this.

Instead of checking out to a directory we generate a composefs image pointing into the object store and mount that as the root fs. We can then enable fs-verity of the composefs image and embed the digest of that in the kernel commandline which specifies the rootfs. Since composefs generation is reproducible, we can even verify that the composefs image we generated is correct by comparing its digest to one in the ostree metadata that was generated when the ostree image was built.

For more information on ostree and composefs, see this tracking issue.

tools

Composefs installs two main tools:

  • mkcomposefs: Creates a composefs image given a directory pathname. Can also compute digests and create a content store directory.
  • mount.composefs: A mount helper that supports mounting composefs images.

mounting a composefs image

The mount.composefs helper allows you to mount composefs images (of both types).

The basic use is:

# mount -t composefs /path/to/image.cfs -o basedir=/path/to/datafiles  /mnt

The default behaviour for fs-verity is that any image files that specifies an expected digest needs the backing file to match that fs-verity digest, at least if this is supported in the kernel. This can be modified with the verity and noverity options.

Mount options:

  • basedir: is the directory to use as a base when resolving relative content paths.
  • verity: All image files must specify a fs-verity image.
  • noverity: Don't verfy fs-verity digests (useful for example if fs-verity is not supported on basedir).
  • digest: A fs-verity sha256 digest that the image file must match. If set, verity_check defaults to 2.
  • signed: The image file must contain an fs-verity signature.
  • upperdir: Sepcify an upperdir for the overlayfs filesystem.
  • workdir: Sepcify an upperdir for the overlayfs filesystem.
  • idmap: Specify a path to a user namespace that is useda as an idmap.

Experimental user space tools

The directory tools/ contains some experimental user space tools to work with composefs images.

  • composefs-from-json: convert from a CRFS metadata file to the binary blob.
  • ostree-convert-commit.py: converts an OSTree commit into a CRFS config file that writer-json can use.

More Repositories

1

podman

Podman: A tool for managing OCI containers and pods.
Go
23,573
star
2

skopeo

Work with remote images registries - retrieving information, images, signing content
Go
8,189
star
3

buildah

A tool that facilitates building OCI images.
Go
7,364
star
4

youki

A container runtime written in Rust
Rust
6,267
star
5

podman-compose

a script to run docker-compose.yml using podman
Python
5,047
star
6

podman-desktop

Podman Desktop is the best free and open source tool to work with Containers and Kubernetes for developers. Get an intuitive and user-friendly interface to effortlessly build, manage, and deploy containers and Kubernetes — all from your desktop.
TypeScript
4,824
star
7

bubblewrap

Low-level unprivileged sandboxing tool used by Flatpak and similar projects
C
3,920
star
8

crun

A fast and lightweight fully featured OCI runtime and C library for running containers
C
3,021
star
9

toolbox

Tool for interactive command line environments on Linux
Shell
2,537
star
10

krunvm

Create microVMs from OCI images
Rust
1,422
star
11

libkrun

A dynamic library providing Virtualization-based process isolation capabilities
Rust
871
star
12

image

Work with containers' images
Go
866
star
13

bootc

Boot and upgrade via container images
Rust
649
star
14

podman-tui

Podman Terminal UI
Go
639
star
15

storage

Container Storage Library
Go
560
star
16

fuse-overlayfs

FUSE implementation for overlayfs
C
528
star
17

netavark

Container network stack
Rust
528
star
18

udica

This repository contains a tool for generating SELinux security profiles for containers
Python
487
star
19

podlet

Generate Podman Quadlet files from a Podman command, compose file, or existing object
Rust
460
star
20

conmon

An OCI container runtime monitor.
C
420
star
21

podman-desktop-extension-bootc

Support for bootable OS containers (bootc) and generating disk images
TypeScript
411
star
22

build

another build tool for container images (archived, see https://github.com/rkt/rkt/issues/4024)
Go
342
star
23

quadlet

C
342
star
24

oci-seccomp-bpf-hook

OCI hook to trace syscalls and generate a seccomp profile
Go
301
star
25

ansible-podman-collections

Repository for Ansible content that can include playbooks, roles, modules, and plugins for use with the Podman tool
Python
266
star
26

gvisor-tap-vsock

A new network stack based on gVisor
Go
258
star
27

podman.io_old

Repository for podman.io website using GitHub Pages.
CSS
258
star
28

container-selinux

SELinux policy files for Container Runtimes
Roff
254
star
29

podman-py

Python bindings for Podman's RESTful API
Python
253
star
30

ramalama

The goal of RamaLama is to make working with AI boring.
Shell
231
star
31

oci-spec-rs

OCI Runtime, Image and Distribution Spec in Rust
Rust
208
star
32

common

Location for shared common files in github.com/containers repos.
Go
188
star
33

conmon-rs

An OCI container runtime monitor written in Rust
Rust
186
star
34

aardvark-dns

Authoritative dns server for A/AAAA container records. Forwards other request to host's /etc/resolv.conf
Rust
184
star
35

dnsname

name resolution for containers
Go
177
star
36

podman-desktop-extension-ai-lab

Work with LLMs on a local environment using containers
TypeScript
175
star
37

docker-lvm-plugin

Docker volume plugin for LVM volumes
Go
155
star
38

crun-vm

Run VM disk images using Podman / Docker / Kubernetes.
Rust
146
star
39

ocicrypt

Encryption libraries for Encrypted OCI Container images
Go
144
star
40

virtcontainers

A Go package for building hardware virtualized container runtimes
Go
139
star
41

prometheus-podman-exporter

Prometheus exporter for podman environments exposing containers, pods, images, volumes and networks information.
Go
134
star
42

fetchit

FetchIt is used to manage the life cycle and configuration of Podman containers
Go
124
star
43

containrs

General purpose container library
Rust
120
star
44

ai-lab-recipes

Examples for building and running LLM services and applications locally with Podman
Python
108
star
45

bluechi

Bluechi is a systemd service controller intended for multi-node environments with a predefined number of nodes and with a focus on highly regulated ecosystems such as those requiring functional safety.
C
96
star
46

Demos

Repository is a location of user demos for technologies listed on github.com/containers
Shell
80
star
47

libkrunfw

A dynamic library bundling the guest payload consumed by libkrun
C
77
star
48

omlmd

OCI Artifact for ML model & metadata
Python
69
star
49

shortnames

Shortnames project is collecting registry alias names for shortnames to fully specified container image names.
Python
68
star
50

psgo

A ps(1) AIX-format compatible golang library
Go
58
star
51

nri-plugins

A collection of community maintained NRI plugins
Go
57
star
52

podman.io

The new podman.io design project
TypeScript
53
star
53

libocispec

a C library for accessing OCI runtime and image spec files
Python
52
star
54

tar-diff

Go
51
star
55

python-podman

Python bindings and code examples for using Varlink access to Podman Service
Python
49
star
56

podman-security-bench

Shell
40
star
57

initoverlayfs

C
39
star
58

selinuxd

A daemon that manages SELinux policies on a filesystem
Go
36
star
59

krunkit

Launch configurable virtual machines with libkrun
Rust
36
star
60

nydus-storage-plugin

A storage plugin that provided CRI-O/Podman with the ability to lazy mount nydus images.
Go
34
star
61

podman-desktop-swift

Swift
34
star
62

appstore

Example directory of Kubernetes YAML and Quadlets tested with Podman
Python
30
star
63

BuildSourceImage

Tool to build a source image based on an existing OCI image
Shell
29
star
64

buildah.io

Repository for the buildah.io web site using GitHub Pages.
HTML
26
star
65

ansible-podman

Ansible podman is a package to allow ansible playbooks to manage podman containers
Python
26
star
66

oci-fetch

Simple command line tool for fetching the Open Container Initiative image format over various transports.
Go
24
star
67

containertoolbx.org

Website for the Toolbx project
CSS
24
star
68

qm

QM is a containerized environment for running Functional Safety qm (Quality Management) software
Shell
22
star
69

libhvee

Special purposed library for Windows HyperV control
Go
21
star
70

automation_images

Shell
21
star
71

containers-image-proxy-rs

containers-image-proxy-rs
Rust
20
star
72

podman-wsl-fedora

Root FS image of Fedora for Podman Machine on Windows
20
star
73

podman-machine-qemu

Qemu build for macOS used by the self-contained `podman machine` installer
Shell
19
star
74

podman-bootc

Go
18
star
75

automation

Automation scripts and configurations common across the containers org. repositories
Shell
15
star
76

podman-machine-wsl-os

WSL OS Images for Podman Machine 5.x - based on Fedora
15
star
77

oci-umount

C
13
star
78

docs

Repository for all documentation written about tools hosted at github.com/containers
Shell
12
star
79

bootable

Ruby
11
star
80

netavark-dhcp-proxy-deprecated

DHCP proxy for Netavark
Rust
11
star
81

image_build

Monorepo menagerie of container images and associated build automation
Shell
11
star
82

podhawk

Python
9
star
83

podman-desktop-catalog

Catalog of extensions of Podman Desktop
7
star
84

validator

C
7
star
85

podman-machine-cni

Go
6
star
86

arty

Arty is a tool for managing OCI Artifacts on OCI Registries.
6
star
87

ocidir-rs

Low level Rust library for working with OCI (opencontainers) directories
Rust
5
star
88

PodmanHello

Podman Hello Image Repository
Dockerfile
4
star
89

.github

The README for the containers organization
4
star
90

automation_sandbox

Test-repository for experimenting with in-repo automation tools/settings.
4
star
91

fetchit-desktop-extension

TypeScript
4
star
92

winquit

golang module that supports graceful shutdown of Windows applications
Go
4
star
93

kubensmnt

Shell
4
star
94

podman-desktop-extension-layers-explorer

An extension for Podman Desktop to explore files in Images layers
TypeScript
4
star
95

podman-desktop-e2e

Podman desktop e2e tests
Go
3
star
96

podman-desktop-extension-minikube

TypeScript
3
star
97

nri-plugins-operator

Makefile
3
star
98

luksy

offline encryption/decryption using LUKS formats
Go
3
star
99

release-keys

2
star
100

ContainerPlumbing

Container Plumbing Conference information.
2
star