fork: hardlink snapshot mem-file into snapshot forks#221
Draft
sjmiller609 wants to merge 8 commits into
Draft
Conversation
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
When a Firecracker fork descends from a Template source, skip copying the snapshot mem-file and hardlink it to the source's instead. Firecracker mmaps the mem-file MAP_PRIVATE on restore, so all forks COW from the same backing inode — no per-fork copy required. Hardlink rather than symlink: firecracker's restore path temporarily aliases the source data dir to the fork data dir while loading the snapshot (withSnapshotSourceDirAlias). A symlink whose target traverses the source dir would resolve back into the fork dir during that window and trip ELOOP; a hardlink resolves by inode so the alias has no effect on it. Hardlinks require both paths on the same filesystem, which holds for our standard data-dir layout. Gated to Firecracker only because other hypervisors (cloud-hypervisor, qemu, vz) don't share MAP_PRIVATE semantics on their snapshot layouts. Restricted to Template sources because they are explicitly promoted as fork-only and can never be restored — sharing the mem-file with a non-Template source would let a later RestoreInstance mutate the file out from under live forks. Stacked on hypeship/template-as-state so the Template state both gates "this snapshot is safe to fan out from" and lets fork counts be derived at read time.
Snapshot forks copy the source guest dir into the fork instance dir; the dominant cost is the multi-GB mem-file. Hardlink it instead and skip the file from the directory walk via CopyOptions.SkipRelPaths (introduced for template forks). This is safe because: - snapshot mem-files are immutable - the hypervisor mmaps them MAP_PRIVATE on restore, so fork writes never reach the underlying file - hardlinks survive snapshot deletion via inode refcount, so a deleted snapshot never strands a running fork Falls back to the regular copy walk when no raw mem-file is present.
Adds StateTemplate to the instance state machine. A Standby instance is auto-promoted to Template the first time it's forked from a snapshot, and ForkCount is bumped on each subsequent fork. Templates can't wake while ForkCount > 0; un-promote (Template -> Standby) and delete (Template -> Stopped) are both refused until forks drain. Fork bookkeeping lives on StoredMetadata (IsTemplate, ForkCount, ForkOfTemplate, plus a reserved HotPagesPath for the prefetch path). Deleting a fork decrements the parent template's ForkCount under the parent's lock; deletion of the fork's own data has already happened, so worst case is refcount drift that a future reconciliation pass fixes. The running-fork flow keeps skipping promotion: it restores the source back to Running afterward, and a template can't wake.
Drops the persisted ForkCount field from StoredMetadata and the decrement bookkeeping in DeleteInstance. Live forks of a template are now counted by scanning metadata for ForkOfTemplate matches via a new countTemplateForks helper. The fork-of-template field itself remains the single source of truth, so there's no drift to reconcile. Template promotion on fork only flips IsTemplate when not already set; deletion of a template still refuses when forks exist, but the count is computed from disk rather than read from a denormalized field.
Previously ForkInstance auto-promoted a Standby source to Template the
first time it was forked from a snapshot, and RestoreInstance auto-demoted
a Template before waking it. That implicit lifecycle blurred the rules: a
Standby and a "Standby that has been forked once" behaved differently,
and callers had to know that restoring a Template was a two-step
operation under the hood.
Replace it with explicit PromoteToTemplate / DemoteTemplate manager
methods (and matching POST /instances/{id}/promote-template and
/demote-template endpoints). Promotion is now Standby -> Template only;
demotion is Template -> Standby only and refuses while live forks
reference the template. ForkInstance only records the parent linkage if
the source is already a Template, and RestoreInstance no longer
auto-demotes — callers must demote first.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
sjmiller609
force-pushed
the
hypeship/fork-shared-memfile
branch
from
d46be7a to
7b799f7
Compare
sjmiller609
force-pushed
the
hypeship/snapshot-fork-share-memfile
branch
from
6d875e1 to
06abd04
Compare
Silently continuing past an unreadable metadata file could undercount forks of a template, allowing DemoteTemplate or DeleteInstance to free a template whose pages are still mapped by a live fork. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
sjmiller609
force-pushed
the
hypeship/fork-shared-memfile
branch
from
7b799f7 to
355ad7f
Compare
sjmiller609
force-pushed
the
hypeship/snapshot-fork-share-memfile
branch
from
06abd04 to
13f3003
Compare
sjmiller609
force-pushed
the
hypeship/fork-shared-memfile
branch
from
355ad7f to
a45d471
Compare
sjmiller609
force-pushed
the
hypeship/snapshot-fork-share-memfile
branch
from
13f3003 to
7992660
Compare
sjmiller609
force-pushed
the
hypeship/fork-shared-memfile
branch
from
a45d471 to
8b0000c
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CopyOptions.SkipRelPaths, thenos.Link'd into place after the copy returns. Dodges the multi-GB sparse copy and the directory-walk overhead in one step.Why this is safe
MAP_PRIVATEon restore, so fork writes never reach the underlying file — all forks of a snapshot can share the same inode.Stack
hypeship/fork-shared-memfile(PR fork: share template mem-file via hardlink for firecracker fan-out #214) because that PR introducedCopyOptions.SkipRelPaths.share_memoryAPI.Test plan
go test ./lib/instances/ -run TestForkSnapshotHardlinksRawMemoryFilego test ./lib/instances/ -run TestForkSnapshotFromCompressedSourceCopiesRawMemorystill passes (compressed source still gets a real raw file in the fork)go test ./lib/forkvm/stat -c %imatches between the source mem-file and the fork's mem-file