GrootFS
GrootFS is a tool with a command line interface (CLI) that provides filesystem isolation for containers. Isolated filesystems are also called root filesystems (or rootfss). Each Garden container references one rootfs that is mounted as its root mountpoint.
The command line interface (CLI) implements the Garden's image plugin binary interface and is used as an image plugin by Garden's . volumizer. The CLI consists of the following commands:
- Create: creates a new rootfs and returns information (json document) about it on the standard out. Garden parses that json object and uses its data when building the container
config.json. - Delete: deletes a rootfs, invoked when Garden destroys a container
- Clean: cleans all unused layers from the cache in the store, invoked when the store size reaches a threshold
- Lister: lists all the images in the store
- Stats: returns store stats
The root filesystem is an (overlay filesystem)[https://www.kernel.org/doc/html/latest/filesystems/overlayfs.html] that is mounted under a directory in the GrootFS store. Every rootfs starts with a base image (a tar file, or an OCI image) that consists of layers that are downloaded during rootfs creation. The base image layers are mounted as lower/upper overlay dirs (and are read-only) while the workdir is created by GrootFS on rootfs creation and is writable. Thus containers can only change their writable workdirs but cannot change the base layers.
As base image layers are read-only for containers, they can be shared across different rootfses via simply mounting the upper/lower dirs into different overlay mounts thus optimising disk usage and not donwloading layers that are already downloaded. For example, two containers that have their rootfses based on the same base image (such as ubuntu) would have their own rootfses with their own workdirs, but the upper/lower dirs in the overlay mount would be the same. Furthermore, when the second container is created, the layers from the ubuntu base image will not be downloaded (as they have been downloaded when the first container has been created) which also helps for performance.