Root Filesystem Overlay Feature Available

[Ayush Ranjan]

Hi all,

We recently landed support for root overlay feature in runsc. This is a filesystem optimization feature. It effectively moves the container root filesystem's overlay mount from the host into the sandbox. This allows runsc to perform filesystem modifications in the root filesystem very quickly, without having to make round trips to the gofer to update the host. The root filesystem changes are anyways destroyed with the container, so it is wasted effort to keep updating the host with root filesystem changes.

This optimization improves performance drastically in some cases. Obviously it depends on how much the containerized workload modifies the root filesystem. For example, on my desktop, the time to `bazel build absl/base/...` in the abseil-cpp repo looks like:

- runsc (KVM platform): 55 seconds

- runsc with root overlay (KVM platform): 47 seconds

- runc (unsandboxed): 34 seconds

That is a 38% reduction in the sandboxing overhead that runsc imposes over runc (unsandboxed).

You can enable this feature by adding `--overlay2=root:self` flag to the runtime configuration. The runtime configuration is in `/etc/docker/daemon.json` if you are using Docker. This feature is also supported properly on k8s.

We are looking for early adopters of this feature. You can file bugs or send feedback using this link. We look forward to hearing from you!

[Ayush Ranjan]

This feature has been made the default in runsc after https://github.com/google/gvisor/commit/38750cdedcce19a3039da10e515f5852565d2c7e.

If you hit issues, please let us know here or via GitHub issues.