erofs-snapshotter: make IMMUTABLE_FL optional

hsiangkao · hsiangkao · commit 8d194c19febc · 2025-07-12T13:03:00.000+08:00
Enabling the IMMUTABLE_FL file attribute causes dirty data to be
flushed synchronously at least on EXT4, which can greatly impact
container launch performance.  In contrast, the overlayfs snapshotter
does not use syncfs by default.

Most users may not need IMMUTABLE_FL, let's make IMMUTABLE_FL optional
to align with the behavior of the overlayfs snapshotter and recover the
original performance.

1. tensorflow

Test commands:
$ nerdctl image pull --snapshotter=X --unpack="false" tensorflow/tensorflow:2.19.0
$ time nerdctl container --snapshotter=X run -d tensorflow/tensorflow:2.19.0 /bin/sh

Results:
 overlayfs                 | 0m18.748s
 erofs (no IMMUTABLE_FL)   | 0m10.090s
 erofs (with IMMUTABLE_FL) | 0m21.074s

2. ubuntu 22.04

Test commands:
$ nerdctl image pull --snapshotter=X --unpack="false" ubuntu:22.04
$ time nerdctl container --snapshotter=X run -d ubuntu:22.04 /bin/sh

Results:
 overlayfs                 | 0m1.147s
 erofs (no IMMUTABLE_FL)   | 0m0.795s
 erofs (with IMMUTABLE_FL) | 0m1.094s

Signed-off-by: Gao Xiang &lt;hsiangkao@linux.alibaba.com&gt;
diff --git a/docs/snapshotters/erofs.md b/docs/snapshotters/erofs.md
@@ -104,7 +104,7 @@ builds, as shown below:
 
 ``` toml
   [plugins."io.containerd.differ.v1.erofs"]
-    mkfs_options = ["-T0 --mkfs-time"]
+    mkfs_options = ["-T0", "--mkfs-time"]
 ```
 
 If erofs-utils is 1.8.2 or higher, it's preferred to append `--sort=none` to
@@ -113,7 +113,7 @@ improved performance, as shown below:
 
 ``` toml
   [plugins."io.containerd.differ.v1.erofs"]
-    mkfs_options = ["-T0 --mkfs-time --sort=none"]
+    mkfs_options = ["-T0", "--mkfs-time", "--sort=none"]
 ```
 
 ### Running a container
@@ -128,6 +128,38 @@ $ # run the container with the provides snapshotter
 $ ctr run -rm -t --snapshotter erofs docker.io/library/busybox:latest hello sh
 ```
 
+## Data Integrity
+
+The EROFS snapshotter provides two methods to consolidate data integrity:
+
+### Data Integrity with Immutable File Attribute
+
+By setting `set_immutable = true`, the EROFS snapshotter marks each layer blob
+with `IMMUTABLE_FL`. This ensures that dirty data is flushed immediately and the
+EROFS layer blob cannot be deleted, renamed, or modified.
+
+The immutable file attribute is mainly used to ensure data persistence and
+prevent artificial data loss, but it cannot detect data corruption caused by
+hardware failures. Since it can flush in-memory dirty data, it may significantly
+increase the unpacking time it takes to launch a container: for example, the
+unpacking time for tensorflow:2.19.0 increases by 108.86% (from 10.090s to
+21.074s) on EXT4. However, it has no impact on runtime performance.
+
+### Data Integrity with fs-verity
+
+By setting `enable_fsverity = true`, the EROFS snapshotter will:
+
+ - Enable fs-verity on EROFS layers during commit;
+
+ - Verify the fs-verity status before mounting layers;
+
+ - Skip fs-verity if the filesystem or kernel does not support it.
+
+The fs-verity method guarantees that EROFS blob layers never change, but it
+introduces additional runtime overhead since all container image reads from
+the container will be slower because it needs to verify the Merkle hash tree
+first.
+
 ## How It Works
 
 For each layer, the EROFS snapshotter prepares a directory containing the
@@ -165,14 +197,6 @@ In other words, the EROFS differ can only be used with the EROFS snapshotter;
 otherwise, it will skip to the next differ.  The EROFS snapshotter can work
 with or without the EROFS differ.
 
-## Data Integrity with fsverity
-
-The EROFS snapshotter supports fsverity for data integrity verification of EROFS layers.
-When enabled via `enable_fsverity = true`, the snapshotter will:
-- Enable fsverity on EROFS layers during commit
-- Verify fsverity status before mounting layers
-- Skip fsverity if the filesystem or kernel does not support it
-
 ## TODO
 
 The EROFS Fsmerge feature is NOT supported in the current implementation
diff --git a/plugins/snapshots/erofs/erofs_linux.go b/plugins/snapshots/erofs/erofs_linux.go
@@ -44,6 +44,8 @@ type SnapshotterConfig struct {
 	ovlOptions []string
 	// enableFsverity enables fsverity for EROFS layers
 	enableFsverity bool
+	// setImmutable enables IMMUTABLE_FL file attribute for EROFS layers
+	setImmutable bool
 }
 
 // Opt is an option to configure the erofs snapshotter
@@ -63,6 +65,13 @@ func WithFsverity() Opt {
 	}
 }
 
+// WithImmutable enables IMMUTABLE_FL file attribute for EROFS layers
+func WithImmutable() Opt {
+	return func(config *SnapshotterConfig) {
+		config.setImmutable = true
+	}
+}
+
 type MetaStore interface {
 	TransactionContext(ctx context.Context, writable bool) (context.Context, storage.Transactor, error)
 	WithTransaction(ctx context.Context, writable bool, fn storage.TransactionCallback) error
@@ -74,6 +83,7 @@ type snapshotter struct {
 	ms             *storage.MetaStore
 	ovlOptions     []string
 	enableFsverity bool
+	setImmutable   bool
 }
 
 // check if EROFS kernel filesystem is registered or not
@@ -146,6 +156,7 @@ func NewSnapshotter(root string, opts ...Opt) (snapshots.Snapshotter, error) {
 		ms:             ms,
 		ovlOptions:     config.ovlOptions,
 		enableFsverity: config.enableFsverity,
+		setImmutable:   config.setImmutable,
 	}, nil
 }
 
@@ -432,9 +443,12 @@ func (s *snapshotter) Commit(ctx context.Context, name, key string, opts ...snap
 				return fmt.Errorf("failed to enable fsverity: %w", err)
 			}
 		}
+
 		// Set IMMUTABLE_FL on the EROFS layer to avoid artificial data loss
-		if err := setImmutable(layerBlob, true); err != nil {
-			log.G(ctx).WithError(err).Warnf("failed to set IMMUTABLE_FL for %s", layerBlob)
+		if s.setImmutable {
+			if err := setImmutable(layerBlob, true); err != nil {
+				log.G(ctx).WithError(err).Warnf("failed to set IMMUTABLE_FL for %s", layerBlob)
+			}
 		}
 		return nil
 	})
diff --git a/plugins/snapshots/erofs/plugin/plugin_linux.go b/plugins/snapshots/erofs/plugin/plugin_linux.go
@@ -36,6 +36,9 @@ type Config struct {
 
 	// EnableFsverity enables fsverity for EROFS layers
 	EnableFsverity bool `toml:"enable_fsverity"`
+
+	// If `SetImmutable` is enabled, IMMUTABLE_FL will be set on layer blobs.
+	SetImmutable bool `toml:"set_immutable"`
 }
 
 func init() {
@@ -65,6 +68,10 @@ func init() {
 				opts = append(opts, erofs.WithFsverity())
 			}
 
+			if config.SetImmutable {
+				opts = append(opts, erofs.WithImmutable())
+			}
+
 			ic.Meta.Exports[plugins.SnapshotterRootDir] = root
 			return erofs.NewSnapshotter(root, opts...)
 		},
