deckhouse · YuryLysov · Aug 13, 2025 · Aug 18, 2025 · Aug 18, 2025 · Aug 22, 2025
@@ -1,6 +1,7 @@
 **/*.git
 **/.svn
 **/.hg
+images/**/mount-points.yaml
 **/werf*.yaml
 **/werf*.yml
 .werf/**

@@ -0,0 +1,32 @@
+{{/*
+
+Template to bake mount points in the image. These static mount points
+are required so containerd can start a container with image integrity check.
+
+Problem: each directory specified in volumeMounts items should exist
+in image, containerd is unable to create mount point for us when
+integrity check is enabled.
+
+Solution: define all possible mount points in mount-points.yaml file and
+include this template in git section of the werf.inc.yaml.
+
+*/}}
+{{/* NOTE: Keep in sync with version in Deckhouse CSE */}}
+{{- define "image mount points" }}
+{{-   $mountPoints := ($.Files.Get (printf "images/%s/mount-points.yaml" $.ImageName) | fromYaml) }}
+{{-   $context := . }}
+{{-   range $v := $mountPoints.dirs }}
+- add: /tools/mounts/mountdir
+  to: {{ $v | trimSuffix "/" }}
+  stageDependencies:
+    install:
+    - "**/*"
+{{-   end }}
+{{-   range $v := $mountPoints.files }}
+- add: /tools/mounts/mountfile
+  to: {{ $v }}
+  stageDependencies:
+    install:
+    - "**/*"
+{{-   end }}
+{{- end }}
@@ -0,0 +1,7 @@
+# A list of pre-created mount points for containerd strict mode.
+
+dirs:
+  # Create dirs in /run, as /var/run is a symlink to /run.
+  - /run/certs/cdi-apiserver-signer-bundle
+  - /run/certs/cdi-apiserver-server-cert
+  - /kubeconfig.local
@@ -1,6 +1,8 @@
 ---
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 fromImage: {{ .ModuleNamePrefix }}distroless
+git:
+  {{- include "image mount points" . }}
 import:
 - image: {{ .ModuleNamePrefix }}cdi-artifact
   add: /cdi-binaries

@@ -0,0 +1,7 @@
+# A list of pre-created mount points for containerd strict mode.
+#
+# See https://github.com/deckhouse/3p-containerized-data-importer/blob/80d763d788e06b3decaf22e4762076cec64582b3/pkg/controller/clone-controller.go#L699
+
+dirs:
+  # Create dirs in /run, as /var/run is a symlink to /run.
+  - /run/cdi/clone/source
@@ -1,6 +1,8 @@
 ---
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 fromImage: {{ .ModuleNamePrefix }}distroless
+git:
+  {{- include "image mount points" . }}
 import:
 - image: {{ .ModuleNamePrefix }}{{ .ImageName }}-bins
   add: /relocate

@@ -0,0 +1,13 @@
+# A list of pre-created mount points for containerd strict mode.
+#
+# Some volume mounts are ignored:
+# - /tmp - already in the 'distroless' base image.
+
+dirs:
+  # Create dirs in /run, as /var/run is a symlink to /run.
+  - /run/cdi/token/keys
+  - /run/certs/cdi-uploadserver-signer
+  - /run/certs/cdi-uploadserver-client-signer
+  - /run/ca-bundle/cdi-uploadserver-signer-bundle
+  - /run/ca-bundle/cdi-uploadserver-client-signer-bundle
+  - /kubeconfig.local
@@ -1,6 +1,8 @@
 ---
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 fromImage: {{ .ModuleNamePrefix }}distroless
+git:
+  {{- include "image mount points" . }}
 import:
 - image: {{ .ModuleNamePrefix }}{{ .ImageName }}-bins
   add: /relocate

@@ -0,0 +1,17 @@
+# A list of pre-created mount points for containerd strict mode.
+#
+# See https://github.com/deckhouse/3p-containerized-data-importer/blob/d5fa5124b8a645521843814fffecdf385b74b379/pkg/controller/import-controller.go#L962
+#
+# Some volume mounts are ignored:
+# - /extraheaders - Etra headers not implemented in virtualization-controller.
+# - /google - No support for GCS data source in VirtualImage.
+# - /tmp - already in the 'distroless' base image.
+
+dirs:
+  - /certs
+  - /data
+  - /opt
+  - /proxycerts
+  - /scratch
+  - /shared
+
@@ -1,6 +1,8 @@
 ---
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 fromImage: {{ .ModuleNamePrefix }}distroless
+git:
+  {{- include "image mount points" . }}
 import:
 - image: {{ .ModuleNamePrefix }}{{ .ImageName }}-bins
   add: /relocate

@@ -0,0 +1,4 @@
+# A list of pre-created mount points for containerd strict mode.
+
+dirs:
+  - /kubeconfig.local
@@ -1,6 +1,8 @@
 ---
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 fromImage: {{ .ModuleNamePrefix }}distroless
+git:
+  {{- include "image mount points" . }}
 import:
 - image: {{ .ModuleNamePrefix }}cdi-artifact
   add: /cdi-binaries

@@ -27,20 +27,26 @@ shell:
   install:
   - |
     mkdir -p /relocate/etc/{pki,ssl} /relocate/usr/{bin,sbin,share,lib,lib64}
-    
+
     cd /relocate
     for dir in {bin,sbin,lib,lib64};do
       ln -s usr/$dir $dir
     done
+    # /var/run -> ../run symlink to prevent making /var/run a directory during the build.
+    # It is needed for better compatibility with containerd default top layer.
+    mkdir -p run
+    mkdir -p var
+    ln -s var/run ../run
     cd /
-    
+
     cp -pr /tmp /relocate
     cp -pr /etc/passwd /etc/group /etc/hostname /etc/hosts /etc/shadow /etc/protocols /etc/services /etc/nsswitch.conf /relocate/etc
     cp -pr /usr/share/ca-certificates /relocate/usr/share
     cp -pr /usr/share/zoneinfo /relocate/usr/share
     cp -pr /etc/pki/tls/cert.pem /relocate/etc/ssl
     cp -pr /etc/pki/tls/certs /relocate/etc/ssl
     cp -pr /etc/pki/ca-trust/ /relocate/etc/
+    # Create 'deckhouse' user to run without root.
     echo "deckhouse:x:64535:64535:deckhouse:/:/sbin/nologin" >> /relocate/etc/passwd
     echo "deckhouse:x:64535:" >> /relocate/etc/group
     echo "deckhouse:!::0:::::" >> /relocate/etc/shadow
@@ -0,0 +1,7 @@
+# A list of pre-created mount points for containerd strict mode.
+
+dirs:
+  - /dvcr-src-auth
+  - /dvcr-auth
+  - /certs
+  - /proxycerts
@@ -1,6 +1,8 @@
 ---
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 fromImage: {{ .ModuleNamePrefix }}distroless
+git:
+  {{- include "image mount points" . }}
 import:
 - image: {{ .ModuleNamePrefix }}dvcr-artifact-bins
   add: /relocate

@@ -0,0 +1,4 @@
+# A list of pre-created mount points for containerd strict mode.
+
+dirs:
+  - /dvcr-auth
@@ -1,6 +1,8 @@
 ---
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 fromImage: {{ .ModuleNamePrefix }}distroless
+git:
+  {{- include "image mount points" . }}
 import:
 - image: {{ .ModuleNamePrefix }}dvcr-artifact-bins
   add: /relocate

@@ -0,0 +1,7 @@
+# A list of pre-created mount points for containerd strict mode.
+
+dirs:
+  - /etc/docker/registry
+  - /etc/ssl/docker
+  - /var/lib/registry
+  - /auth
@@ -19,6 +19,8 @@ shell:
 ---
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 fromImage: {{ .ModuleNamePrefix }}distroless
+git:
+  {{- include "image mount points" . }}
 import:
 - image: {{ .ModuleNamePrefix }}{{ .ImageName }}-builder
   add: /container-registry-binary

@@ -0,0 +1,7 @@
+# A list of pre-created mount points for containerd strict mode.
+
+dirs:
+  - /etc/virt-operator/certificates
+  - /etc/virt-api/certificates
+  # Create dirs in /run, as /var/run is a symlink to /run.
+  - /run/certs/cdi-apiserver-server-cert
@@ -35,13 +35,22 @@ shell:
 
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 fromImage: builder/scratch
+git:
+  {{- include "image mount points" . }}
 import:
   - image: {{ .ModuleNamePrefix }}{{ .ImageName }}-builder
     add: /src/kube-api-rewriter/kube-api-rewriter
     to: /app/kube-api-rewriter
     after: install
+  # Make containerd compatible directories structure.
+  - image: {{ .ModuleNamePrefix }}{{ .ImageName }}-builder
+    add: /var
+    to: /var
+    includePaths:
+      - run
+    after: install
 imageSpec:
   config:
-    user: "65532:65532"
+    user: "64535:64535"
     workingDir: "/app"
     entrypoint: ["/app/kube-api-rewriter"]
@@ -0,0 +1,10 @@
+# A list of pre-created mount points for containerd strict mode.
+#
+# Some volume mounts are ignored:
+# - /tmp - already in the 'distroless' base image.
+
+dirs:
+  - /etc/virt-api/certificates
+  - /etc/virt-handler/clientcertificates
+  - /profile-data
+  - /kubeconfig.local
@@ -1,6 +1,8 @@
 ---
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 fromImage: {{ .ModuleNamePrefix }}distroless
+git:
+  {{- include "image mount points" . }}
 import:
 - image: {{ .ModuleNamePrefix }}virt-artifact
   add: /kubevirt-binaries/

@@ -0,0 +1,7 @@
+# A list of pre-created mount points for containerd strict mode.
+
+dirs:
+  - /etc/virt-controller/certificates
+  - /etc/virt-controller/exportca
+  - /profile-data
+  - /kubeconfig.local
@@ -1,6 +1,8 @@
 ---
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 fromImage: {{ .ModuleNamePrefix }}distroless
+git:
+  {{- include "image mount points" . }}
 import:
 - image: {{ .ModuleNamePrefix }}virt-artifact
   add: /kubevirt-binaries/

@@ -0,0 +1,21 @@
+# A list of pre-created mount points for containerd strict mode.
+#
+# Some volume mounts are ignored:
+# - /tmp - already in the 'distroless' base image.
+
+dirs:
+  - /etc/virt-handler/clientcertificates
+  - /etc/virt-handler/servercertificates
+  - /kubeconfig.local
+  - /profile-data
+  - /etc/podinfo
+  - /pods
+  - /var/lib/kubevirt
+  - /var/lib/kubelet/device-plugins
+  - /var/lib/kubelet/pods
+  - /var/lib/kubevirt-node-labeller
+  # Create dirs in /run, as /var/run is a symlink to /run.
+  - /run/kubevirt
+  - /run/kubevirt-libvirt-runtimes
+  - /run/kubevirt-private
+
@@ -1,6 +1,8 @@
 ---
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 fromImage: {{ .ModuleNamePrefix }}distroless
+git:
+  {{- include "image mount points" . }}
 import:
 - image: {{ .ModuleNamePrefix }}{{ .ImageName }}-bins
   add: /relocate

@@ -0,0 +1,48 @@
+# A list of pre-created mount points for containerd strict mode.
+#
+# See https://github.com/deckhouse/3p-kubevirt/blob/8aed630/pkg/virt-controller/services/rendervolumes.go
+#
+# Some volume mounts are ignored:
+# - /tmp - already in the 'distroless' base image.
+# - /var/run - already in the 'distroless' base image.
+# No need to pre-create a plethora of /var/run descendants,
+# as deckhouse/3p-kubevirt is patched to mount /var/run as emptyDir:
+# - /var/run/libvirt
+# - /var/run/kubevirt-ephemeral-disks
+# - /var/run/kubevirt-hooks
+# - /var/run/kubevirt-private
+# - /var/run/kubevirt-private/sysprep/<volname>
+# - /var/run/kubevirt-private/secret/cloudinit/userdata
+# - /var/run/kubevirt-private/secret/cloudinit/userData
+# - /var/run/kubevirt-private/secret/cloudinit/networkdata
+# - /var/run/kubevirt-private/secret/cloudinit/networkData
+# - /var/run/kubevirt-private/config-map
+# - /var/run/kubevirt-private/downwardapi
+# - /var/run/kubevirt-private/downwardapi-disks
+# - /var/run/kubevirt-private/vmi-disks
+# - /var/run/kubevirt-private/libvirt
+# - /var/run/kubevirt-private/libvirt/qemu
+# - /var/run/kubevirt-private/libvirt/qemu/nvram
+# - /var/run/kubevirt-private/libvirt/qemu/swtpm
+# - /var/run/kubevirt-private/var/lib/swtpm-localca
+# - There are more dirs in /var/run/kubevirt-private/
+# - /var/run/kubevirt
+# - /var/run/kubevirt/container-disks
+# - /var/run/kubevirt/sockets
+# - /var/run/kubevirt/hotplug-disks
+# - /var/run/kubevirt/virtiofs-containers
+# /var/log is mounted as emptyDir too:
+# - /var/log/libvirt
+
+dirs:
+  - /etc/libvirt
+  - /etc/podinfo
+  - /var/cache/libvirt
+  - /var/lib/libvirt
+  - /var/lib/libvirt/swtpm
+  - /var/lib/libvirt/qemu/nvram
+  - /var/lib/kubevirt-node-labeller
+  - /var/lib/swtpm-localca
+  - /var/log
+  - /path # For hot-plugged disks, used in "hp Pods".
+  - /init/usr/bin # For attaching images as "container disks".
@@ -2,6 +2,8 @@
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 final: true
 fromImage: {{ .ModuleNamePrefix }}distroless
+git:
+  {{- include "image mount points" . }}
 import:
   - image: {{ .ModuleNamePrefix }}{{ .ImageName }}-binaries
     add: /relocate

@@ -0,0 +1,6 @@
+# A list of pre-created mount points for containerd strict mode.
+
+dirs:
+  - /etc/virt-operator/certificates
+  - /profile-data
+  - /kubeconfig.local
@@ -1,6 +1,8 @@
 ---
 image: {{ .ModuleNamePrefix }}{{ .ImageName }}
 fromImage: {{ .ModuleNamePrefix }}distroless
+git:
+  {{- include "image mount points" . }}
 import:
 - image: {{ .ModuleNamePrefix }}virt-artifact
   add: /kubevirt-binaries/

@@ -0,0 +1,6 @@
+# A list of pre-created mount points for containerd strict mode.
+
+dirs:
+  - /etc/virtualization-api/certificates
+  - /etc/virtualization-api-proxy/certificates
+  - /etc/virt-api/certificates