Design Objectives

PuzzleFS is built on a clear set of design objectives aimed at redefining the container filesystem landscape:

• Rapid Image Processing: Ensuring that image creation and mounting occur at lightning speed to minimize delays during container startup.
• Decreased Data Redundancy: Effectively sharing data chunks across layers to lower storage costs and minimize duplication.
• Standardized Image Format: Establishing a canonical image format for consistent image builds.
• Direct Mounting Capabilities: Allowing images to be mounted directly, improving data integrity and security.
• Memory Safety Assurance: Prioritizing memory safety through the use of Rust, ensuring consistency across both user and kernel space.

At its core, PuzzleFS is designed to address the weaknesses inherent in the current Open Container Initiative (OCI) format. Its primary aims include minimizing data duplication, facilitating reproducible image builds, supporting direct mounting, and guaranteeing memory safety, all in alignment with the OCIv2 design principles, which prioritize enhanced efficiency and security.

Reducing Data Duplication

One of the standout features of PuzzleFS is its ability to cut down on data duplication. Traditionally, container images require users to repeatedly download significant amounts of data, even for minor updates. PuzzleFS addresses this challenge through several innovative strategies:

• Content-Defined Chunking (FastCDC): Utilizing FastCDC, a content-defined chunking algorithm, PuzzleFS identifies and reuses identical chunks among image layers. This dramatically reduces duplication when creating new layers.
• Reproducible Builds: By establishing a standard image format, PuzzleFS ensures that different OCI image builders can produce the same root filesystem for an identical base image.

Direct Mounting Capabilities

PuzzleFS introduces direct mounting support, which enhances data integrity and security during image management. While currently functioning as a userspace filesystem via FUSE (Filesystem in Userspace), work is ongoing to develop a read-only kernel filesystem driver. This feature is especially beneficial for users and organizations that have stringent requirements for verifying the integrity of containerized applications.

Memory Safety and Rust Implementation

A commitment to memory safety is a fundamental principle of PuzzleFS, emphasizing its dedication to secure filesystem practices. The choice to implement PuzzleFS using Rust underscores this commitment, allowing for shared code between user space and kernel space, thereby creating a unified and secure framework.

Extensibility and Future Enhancements

Extensibility is another vital aspect of PuzzleFS. It aims to define a flexible image format that accommodates new features without disrupting backward compatibility. This adaptability paves the way for various enhancements, including image signing, diverse compression algorithms, and more.

Verifiability and Repairability

PuzzleFS acknowledges the significance of verifying and repairing container images. It aims to empower users to check for any intentional or accidental corruption at a per-file level. This feature simplifies the identification and rectification of any image damage, thereby enhancing the reliability of containerized applications.

Optimizing Upload Processes

To enhance the efficiency of image uploads, PuzzleFS seeks to minimize data transfer overhead when pushing images to repositories. By utilizing challenge-response authentication and efficient hashing techniques, PuzzleFS reduces unnecessary internet traffic during uploads, leading to quicker container deployments.

Security in Untrusted Environments

With the increasing reliance on third-party storage systems like S3 and peer-to-peer filesystems, PuzzleFS recognizes the need for secure storage solutions. It envisions a mechanism to encrypt image layers, ensuring safety in untrusted environments—a critical feature for maintaining privacy and confidentiality.