containerd · Dec 13, 2024
diff --git a/‎Makefile
+4-1 b/‎Makefile
+4-1
diff --git a/‎cmd/containerd-stargz-grpc/fsopts/fsopts.go
+81 b/‎cmd/containerd-stargz-grpc/fsopts/fsopts.go
+81
diff --git a/‎cmd/containerd-stargz-grpc/main.go
+87-100 b/‎cmd/containerd-stargz-grpc/main.go
+87-100
diff --git a/‎cmd/go.mod
+1-1 b/‎cmd/go.mod
+1-1
diff --git a/‎cmd/stargz-fuse-manager/main.go
+57 b/‎cmd/stargz-fuse-manager/main.go
+57
diff --git a/‎docs/overview.md
+23 b/‎docs/overview.md
+23
diff --git a/‎fs/fs.go
+14-6 b/‎fs/fs.go
+14-6
diff --git a/‎fusemanager/api/api.pb.go
+566 b/‎fusemanager/api/api.pb.go
+566
diff --git a/‎fusemanager/api/api.proto
+58 b/‎fusemanager/api/api.proto
+58
diff --git a/‎fusemanager/api/generate.go
+19 b/‎fusemanager/api/generate.go
+19
diff --git a/‎fusemanager/client.go
+141 b/‎fusemanager/client.go
+141
diff --git a/‎fusemanager/fusemanager.go
+255 b/‎fusemanager/fusemanager.go
+255
diff --git a/‎fusemanager/fusestore.go
+99 b/‎fusemanager/fusestore.go
+99
diff --git a/‎fusemanager/service.go
+308 b/‎fusemanager/service.go
+308
diff --git a/‎go.mod
+2-2 b/‎go.mod
+2-2
diff --git a/‎service/keychain/keychainconfig/keychainconfig.go
+88 b/‎service/keychain/keychainconfig/keychainconfig.go
+88
diff --git a/‎service/service.go
+25-14 b/‎service/service.go
+25-14
@@ -24,7 +24,7 @@ REVISION=$(shell git rev-parse HEAD)$(shell if ! git diff --no-ext-diff --quiet
 GO_BUILD_LDFLAGS ?= -s -w
 GO_LD_FLAGS=-ldflags '$(GO_BUILD_LDFLAGS) -X $(PKG)/version.Version=$(VERSION) -X $(PKG)/version.Revision=$(REVISION) $(GO_EXTRA_LDFLAGS)'
 
-CMD=containerd-stargz-grpc ctr-remote stargz-store
+CMD=containerd-stargz-grpc ctr-remote stargz-store stargz-fuse-manager
 
 CMD_BINARIES=$(addprefix $(PREFIX),$(CMD))
 
@@ -48,6 +48,9 @@ stargz-store: FORCE
 stargz-store-helper: FORCE
 	cd cmd/ ; GO111MODULE=$(GO111MODULE_VALUE) go build -o $(PREFIX)$@ $(GO_BUILD_FLAGS) $(GO_LD_FLAGS) -v ./stargz-store/helper
 
+stargz-fuse-manager: FORCE
+	cd cmd/ ; GO111MODULE=$(GO111MODULE_VALUE) go build -o $(PREFIX)$@ $(GO_BUILD_FLAGS) $(GO_LD_FLAGS) -v ./stargz-fuse-manager
+
 check:
 	@echo "$@"
 	@GO111MODULE=$(GO111MODULE_VALUE) $(shell go env GOPATH)/bin/golangci-lint run
 
@@ -0,0 +1,81 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package fsopts
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"path/filepath"
+
+	"github.com/containerd/log"
+	dbmetadata "github.com/containerd/stargz-snapshotter/cmd/containerd-stargz-grpc/db"
+	ipfs "github.com/containerd/stargz-snapshotter/cmd/containerd-stargz-grpc/ipfs"
+	"github.com/containerd/stargz-snapshotter/fs"
+	"github.com/containerd/stargz-snapshotter/metadata"
+	memorymetadata "github.com/containerd/stargz-snapshotter/metadata/memory"
+	bolt "go.etcd.io/bbolt"
+)
+
+type Config struct {
+	EnableIpfs    bool
+	MetadataStore string
+}
+
+const (
+	memoryMetadataType = "memory"
+	dbMetadataType     = "db"
+)
+
+func ConfigFsOpts(ctx context.Context, rootDir string, config *Config) ([]fs.Option, error) {
+	fsOpts := []fs.Option{fs.WithMetricsLogLevel(log.InfoLevel)}
+
+	if config.EnableIpfs {
+		fsOpts = append(fsOpts, fs.WithResolveHandler("ipfs", new(ipfs.ResolveHandler)))
+	}
+
+	mt, err := getMetadataStore(rootDir, config)
+	if err != nil {
+		return nil, fmt.Errorf("failed to configure metadata store: %w", err)
+	}
+	fsOpts = append(fsOpts, fs.WithMetadataStore(mt))
+
+	return fsOpts, nil
+}
+
+func getMetadataStore(rootDir string, config *Config) (metadata.Store, error) {
+	switch config.MetadataStore {
+	case "", memoryMetadataType:
+		return memorymetadata.NewReader, nil
+	case dbMetadataType:
+		bOpts := bolt.Options{
+			NoFreelistSync:  true,
+			InitialMmapSize: 64 * 1024 * 1024,
+			FreelistType:    bolt.FreelistMapType,
+		}
+		db, err := bolt.Open(filepath.Join(rootDir, "metadata.db"), 0600, &bOpts)
+		if err != nil {
+			return nil, err
+		}
+		return func(sr *io.SectionReader, opts ...metadata.Option) (metadata.Reader, error) {
+			return dbmetadata.NewReader(db, sr, opts...)
+		}, nil
+	default:
+		return nil, fmt.Errorf("unknown metadata store type: %v; must be %v or %v",
+			config.MetadataStore, memoryMetadataType, dbMetadataType)
+	}
+}
@@ -20,43 +20,32 @@ import (
 	"context"
 	"flag"
 	"fmt"
-	"io"
 	golog "log"
 	"math/rand"
 	"net"
 	"net/http"
 	"os"
+	"os/exec"
 	"os/signal"
 	"path/filepath"
 	"time"
 
 	snapshotsapi "github.com/containerd/containerd/api/services/snapshots/v1"
 	"github.com/containerd/containerd/v2/contrib/snapshotservice"
 	"github.com/containerd/containerd/v2/core/snapshots"
-	"github.com/containerd/containerd/v2/defaults"
-	"github.com/containerd/containerd/v2/pkg/dialer"
 	"github.com/containerd/containerd/v2/pkg/sys"
 	"github.com/containerd/log"
-	dbmetadata "github.com/containerd/stargz-snapshotter/cmd/containerd-stargz-grpc/db"
-	ipfs "github.com/containerd/stargz-snapshotter/cmd/containerd-stargz-grpc/ipfs"
-	"github.com/containerd/stargz-snapshotter/fs"
-	"github.com/containerd/stargz-snapshotter/metadata"
-	memorymetadata "github.com/containerd/stargz-snapshotter/metadata/memory"
+	"github.com/containerd/stargz-snapshotter/cmd/containerd-stargz-grpc/fsopts"
+	"github.com/containerd/stargz-snapshotter/fusemanager"
 	"github.com/containerd/stargz-snapshotter/service"
-	"github.com/containerd/stargz-snapshotter/service/keychain/cri"
-	"github.com/containerd/stargz-snapshotter/service/keychain/dockerconfig"
-	"github.com/containerd/stargz-snapshotter/service/keychain/kubeconfig"
-	"github.com/containerd/stargz-snapshotter/service/resolver"
+	"github.com/containerd/stargz-snapshotter/service/keychain/keychainconfig"
+	snbase "github.com/containerd/stargz-snapshotter/snapshot"
 	"github.com/containerd/stargz-snapshotter/version"
 	sddaemon "github.com/coreos/go-systemd/v22/daemon"
 	metrics "github.com/docker/go-metrics"
 	"github.com/pelletier/go-toml"
-	bolt "go.etcd.io/bbolt"
 	"golang.org/x/sys/unix"
 	"google.golang.org/grpc"
-	"google.golang.org/grpc/backoff"
-	"google.golang.org/grpc/credentials/insecure"
-	runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
 )
 
 const (
@@ -65,14 +54,19 @@ const (
 	defaultLogLevel            = log.InfoLevel
 	defaultRootDir             = "/var/lib/containerd-stargz-grpc"
 	defaultImageServiceAddress = "/run/containerd/containerd.sock"
+	defaultFuseManagerAddress  = "/run/containerd-stargz-grpc/fuse-manager.sock"
+
+	fuseManagerBin     = "stargz-fuse-manager"
+	fuseManagerAddress = "fuse-manager.sock"
 )
 
 var (
-	address      = flag.String("address", defaultAddress, "address for the snapshotter's GRPC server")
-	configPath   = flag.String("config", defaultConfigPath, "path to the configuration file")
-	logLevel     = flag.String("log-level", defaultLogLevel.String(), "set the logging level [trace, debug, info, warn, error, fatal, panic]")
-	rootDir      = flag.String("root", defaultRootDir, "path to the root directory for this snapshotter")
-	printVersion = flag.Bool("version", false, "print the version")
+	address           = flag.String("address", defaultAddress, "address for the snapshotter's GRPC server")
+	configPath        = flag.String("config", defaultConfigPath, "path to the configuration file")
+	logLevel          = flag.String("log-level", defaultLogLevel.String(), "set the logging level [trace, debug, info, warn, error, fatal, panic]")
+	rootDir           = flag.String("root", defaultRootDir, "path to the root directory for this snapshotter")
+	detachFuseManager = flag.Bool("detach-fuse-manager", false, "whether detach fusemanager or not")
+	printVersion      = flag.Bool("version", false, "print the version")
 )
 
 type snapshotterConfig struct {
@@ -92,6 +86,11 @@ type snapshotterConfig struct {
 
 	// MetadataStore is the type of the metadata store to use.
 	MetadataStore string `toml:"metadata_store" default:"memory"`
+	// FuseManagerAddress is address for the fusemanager's GRPC server
+	FuseManagerAddress string `toml:"fusemanager_address"`
+
+	// FuseManagerPath is path to the fusemanager's executable
+	FuseManagerPath string `toml:"fusemanager_path"`
 }
 
 func main() {
@@ -140,51 +139,84 @@ func main() {
 	}
 
 	// Configure keychain
-	credsFuncs := []resolver.Credential{dockerconfig.NewDockerconfigKeychain(ctx)}
-	if config.Config.KubeconfigKeychainConfig.EnableKeychain {
-		var opts []kubeconfig.Option
-		if kcp := config.Config.KubeconfigKeychainConfig.KubeconfigPath; kcp != "" {
-			opts = append(opts, kubeconfig.WithKubeconfigPath(kcp))
-		}
-		credsFuncs = append(credsFuncs, kubeconfig.NewKubeconfigKeychain(ctx, opts...))
+	keyChainConfig := keychainconfig.Config{
+		EnableKubeKeychain:         config.Config.KubeconfigKeychainConfig.EnableKeychain,
+		EnableCRIKeychain:          config.Config.CRIKeychainConfig.EnableKeychain,
+		KubeconfigPath:             config.Config.KubeconfigKeychainConfig.KubeconfigPath,
+		DefaultImageServiceAddress: defaultImageServiceAddress,
+		ImageServicePath:           config.CRIKeychainConfig.ImageServicePath,
 	}
-	if config.Config.CRIKeychainConfig.EnableKeychain {
-		// connects to the backend CRI service (defaults to containerd socket)
-		criAddr := defaultImageServiceAddress
-		if cp := config.CRIKeychainConfig.ImageServicePath; cp != "" {
-			criAddr = cp
-		}
-		connectCRI := func() (runtime.ImageServiceClient, error) {
-			conn, err := newCRIConn(criAddr)
+
+	var rs snapshots.Snapshotter
+	if *detachFuseManager {
+		fmPath := config.FuseManagerPath
+		if fmPath == "" {
+			var err error
+			fmPath, err = exec.LookPath(fuseManagerBin)
 			if err != nil {
-				return nil, err
+				log.G(ctx).WithError(err).Fatalf("failed to find fusemanager bin")
 			}
-			return runtime.NewImageServiceClient(conn), nil
 		}
-		f, criServer := cri.NewCRIKeychain(ctx, connectCRI)
-		runtime.RegisterImageServiceServer(rpc, criServer)
-		credsFuncs = append(credsFuncs, f)
-	}
-	fsOpts := []fs.Option{fs.WithMetricsLogLevel(log.InfoLevel)}
-	if config.IPFS {
-		fsOpts = append(fsOpts, fs.WithResolveHandler("ipfs", new(ipfs.ResolveHandler)))
-	}
-	mt, err := getMetadataStore(*rootDir, config)
-	if err != nil {
-		log.G(ctx).WithError(err).Fatalf("failed to configure metadata store")
-	}
-	fsOpts = append(fsOpts, fs.WithMetadataStore(mt))
-	rs, err := service.NewStargzSnapshotterService(ctx, *rootDir, &config.Config,
-		service.WithCredsFuncs(credsFuncs...), service.WithFilesystemOptions(fsOpts...))
-	if err != nil {
-		log.G(ctx).WithError(err).Fatalf("failed to configure snapshotter")
+		fmAddr := config.FuseManagerAddress
+		if fmAddr == "" {
+			fmAddr = defaultFuseManagerAddress
+		}
+
+		if !filepath.IsAbs(fmAddr) {
+			log.G(ctx).WithError(err).Fatalf("fuse manager address must be an absolute path: %s", fmAddr)
+		}
+		err := fusemanager.StartFuseManager(ctx, fmPath, fmAddr, filepath.Join(*rootDir, "fusestore.db"), *logLevel, filepath.Join(*rootDir, "stargz-fuse-manager.log"))
+		if err != nil {
+			log.G(ctx).WithError(err).Fatalf("failed to start fusemanager")
+		}
+
+		fuseManagerConfig := fusemanager.Config{
+			Config:                     &config.Config,
+			IPFS:                       config.IPFS,
+			MetadataStore:              config.MetadataStore,
+			DefaultImageServiceAddress: defaultImageServiceAddress,
+		}
+
+		fs, err := fusemanager.NewManagerClient(ctx, *rootDir, fmAddr, &fuseManagerConfig)
+		if err != nil {
+			log.G(ctx).WithError(err).Fatalf("failed to configure fusemanager")
+		}
+		rs, err = snbase.NewSnapshotter(ctx, filepath.Join(*rootDir, "snapshotter"), fs, snbase.AsynchronousRemove)
+		if err != nil {
+			log.G(ctx).WithError(err).Fatalf("failed to configure snapshotter")
+		}
+		log.G(ctx).Infof("Start snapshotter with fusemanager mode")
+	} else {
+		credsFuncs, err := keychainconfig.ConfigKeychain(ctx, rpc, &keyChainConfig)
+		if err != nil {
+			log.G(ctx).WithError(err).Fatalf("failed to configure keychain")
+		}
+
+		fsConfig := fsopts.Config{
+			EnableIpfs:    config.IPFS,
+			MetadataStore: config.MetadataStore,
+		}
+		fsOpts, err := fsopts.ConfigFsOpts(ctx, *rootDir, &fsConfig)
+		if err != nil {
+			log.G(ctx).WithError(err).Fatalf("failed to configure fs config")
+		}
+
+		rs, err = service.NewStargzSnapshotterService(ctx, *rootDir, &config.Config,
+			service.WithCredsFuncs(credsFuncs...), service.WithFilesystemOptions(fsOpts...))
+		if err != nil {
+			log.G(ctx).WithError(err).Fatalf("failed to configure snapshotter")
+		}
 	}
 
 	cleanup, err := serve(ctx, rpc, *address, rs, config)
 	if err != nil {
 		log.G(ctx).WithError(err).Fatalf("failed to serve snapshotter")
 	}
 
+	// TODO: In detach mode, rs is taken over by fusemanager,
+	// but client will send unmount request to fusemanager,
+	// and fusemanager need get mount info from local db to
+	//  determine its behavior
 	if cleanup {
 		log.G(ctx).Debug("Closing the snapshotter")
 		rs.Close()
@@ -275,48 +307,3 @@ func serve(ctx context.Context, rpc *grpc.Server, addr string, rs snapshots.Snap
 	}
 	return false, nil
 }
-
-const (
-	memoryMetadataType = "memory"
-	dbMetadataType     = "db"
-)
-
-func getMetadataStore(rootDir string, config snapshotterConfig) (metadata.Store, error) {
-	switch config.MetadataStore {
-	case "", memoryMetadataType:
-		return memorymetadata.NewReader, nil
-	case dbMetadataType:
-		bOpts := bolt.Options{
-			NoFreelistSync:  true,
-			InitialMmapSize: 64 * 1024 * 1024,
-			FreelistType:    bolt.FreelistMapType,
-		}
-		db, err := bolt.Open(filepath.Join(rootDir, "metadata.db"), 0600, &bOpts)
-		if err != nil {
-			return nil, err
-		}
-		return func(sr *io.SectionReader, opts ...metadata.Option) (metadata.Reader, error) {
-			return dbmetadata.NewReader(db, sr, opts...)
-		}, nil
-	default:
-		return nil, fmt.Errorf("unknown metadata store type: %v; must be %v or %v",
-			config.MetadataStore, memoryMetadataType, dbMetadataType)
-	}
-}
-
-func newCRIConn(criAddr string) (*grpc.ClientConn, error) {
-	// TODO: make gRPC options configurable from config.toml
-	backoffConfig := backoff.DefaultConfig
-	backoffConfig.MaxDelay = 3 * time.Second
-	connParams := grpc.ConnectParams{
-		Backoff: backoffConfig,
-	}
-	gopts := []grpc.DialOption{
-		grpc.WithTransportCredentials(insecure.NewCredentials()),
-		grpc.WithConnectParams(connParams),
-		grpc.WithContextDialer(dialer.ContextDialer),
-		grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(defaults.DefaultMaxRecvMsgSize)),
-		grpc.WithDefaultCallOptions(grpc.MaxCallSendMsgSize(defaults.DefaultMaxSendMsgSize)),
-	}
-	return grpc.NewClient(dialer.DialAddress(criAddr), gopts...)
-}
@@ -26,7 +26,6 @@ require (
 	golang.org/x/sync v0.9.0
 	golang.org/x/sys v0.26.0
 	google.golang.org/grpc v1.68.0
-	k8s.io/cri-api v0.32.0-alpha.0
 )
 
 require (
@@ -141,6 +140,7 @@ require (
 	k8s.io/api v0.31.2 // indirect
 	k8s.io/apimachinery v0.31.2 // indirect
 	k8s.io/client-go v0.31.2 // indirect
+	k8s.io/cri-api v0.32.0-alpha.0 // indirect
 	k8s.io/klog/v2 v2.130.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20240228011516-70dd3763d340 // indirect
 	k8s.io/utils v0.0.0-20240711033017-18e509b52bc8 // indirect
 
@@ -0,0 +1,57 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package main
+
+import (
+	"github.com/containerd/stargz-snapshotter/cmd/containerd-stargz-grpc/fsopts"
+	fusemanager "github.com/containerd/stargz-snapshotter/fusemanager"
+	"github.com/containerd/stargz-snapshotter/service"
+	"github.com/containerd/stargz-snapshotter/service/keychain/keychainconfig"
+)
+
+func init() {
+	fusemanager.RegisterConfigFunc(func(cc *fusemanager.ConfigContext) ([]service.Option, error) {
+		fsConfig := fsopts.Config{
+			EnableIpfs:    cc.Config.IPFS,
+			MetadataStore: cc.Config.MetadataStore,
+		}
+		fsOpts, err := fsopts.ConfigFsOpts(cc.Ctx, cc.RootDir, &fsConfig)
+		if err != nil {
+			return nil, err
+		}
+		return []service.Option{service.WithFilesystemOptions(fsOpts...)}, nil
+	})
+
+	fusemanager.RegisterConfigFunc(func(cc *fusemanager.ConfigContext) ([]service.Option, error) {
+		keyChainConfig := keychainconfig.Config{
+			EnableKubeKeychain:         cc.Config.Config.KubeconfigKeychainConfig.EnableKeychain,
+			EnableCRIKeychain:          cc.Config.Config.CRIKeychainConfig.EnableKeychain,
+			KubeconfigPath:             cc.Config.Config.KubeconfigKeychainConfig.KubeconfigPath,
+			DefaultImageServiceAddress: cc.Config.DefaultImageServiceAddress,
+			ImageServicePath:           cc.Config.Config.CRIKeychainConfig.ImageServicePath,
+		}
+		credsFuncs, err := keychainconfig.ConfigKeychain(cc.Ctx, cc.Server, &keyChainConfig)
+		if err != nil {
+			return nil, err
+		}
+		return []service.Option{service.WithCredsFuncs(credsFuncs...)}, nil
+	})
+}
+
+func main() {
+	fusemanager.Run()
+}
@@ -95,6 +95,29 @@ root@1d43741b8d29:/go# cat /.stargz-snapshotter/*
 {"digest":"sha256:f077511be7d385c17ba88980379c5cd0aab7068844dffa7a1cefbf68cc3daea3","size":580,"fetchedSize":580,"fetchedPercent":100}
 ```
 
+## Fuse Manager
+
+The fuse manager is designed to maintain the availability of running containers by managing the lifecycle of FUSE mountpoints independently from the stargz snapshotter.
+
+### Fuse Manager Overview
+Remote snapshots are mounted using FUSE, and its filesystem processes are attached to the stargz snapshotter. If the stargz snapshotter restarts (due to configuration changes or crashes), all filesystem processes will be killed and restarted, which causes the remount of FUSE mountpoints, making running containers unavailable.
+
+To avoid this, we use a fuse daemon called the fuse manager to handle filesystem processes. The fuse manager is responsible for mounting and unmounting remote snapshotters. Its process is detached from the stargz snapshotter main process to an independent one in a shim-like way during the snapshotter's startup. This design ensures that the restart of the snapshotter won't affect the filesystem processes it manages, keeping mountpoints and running containers available during the restart. However, it is important to note that the restart of the fuse manager itself triggers a remount, so it is recommended to keep the fuse manager running in a good state.
+
+You can enable the fuse manager by adding the flag `--detach-fuse-manager=true` to the stargz snapshotter.
+
+### Upgrading Fuse Manager
+
+When upgrading the fuse manager, it's recommended to follow these steps:
+
+1. Stop the containers using the stargz snapshotter.
+2. Stop the fuse manager and containerd-stargz-grpc process.
+3. Upgrade the your binary.
+4. Restart the containerd-stargz-grpc process.
+5. Restart the containers.
+
+This ensures a clean upgrade without impacting running containers.
+
 ## Registry-related configuration
 
 You can configure stargz snapshotter for accessing registries with custom configurations.
 
@@ -72,6 +72,12 @@ const (
 )
 
 var fusermountBin = []string{"fusermount", "fusermount3"}
+var (
+	nsLock = sync.Mutex{}
+
+	ns         *metrics.Namespace
+	metricsCtr *layermetrics.Controller
+)
 
 type Option func(*options)
 
@@ -160,18 +166,20 @@ func NewFilesystem(root string, cfg config.Config, opts ...Option) (_ snapshot.F
 		return nil, fmt.Errorf("failed to setup resolver: %w", err)
 	}
 
-	var ns *metrics.Namespace
-	if !cfg.NoPrometheus {
+	nsLock.Lock()
+	defer nsLock.Unlock()
+
+	if !cfg.NoPrometheus && ns == nil {
 		ns = metrics.NewNamespace("stargz", "fs", nil)
 		logLevel := log.DebugLevel
 		if fsOpts.metricsLogLevel != nil {
 			logLevel = *fsOpts.metricsLogLevel
 		}
 		commonmetrics.Register(logLevel) // Register common metrics. This will happen only once.
+		metrics.Register(ns)             // Register layer metrics.
 	}
-	c := layermetrics.NewLayerMetrics(ns)
-	if ns != nil {
-		metrics.Register(ns) // Register layer metrics.
+	if metricsCtr == nil {
+		metricsCtr = layermetrics.NewLayerMetrics(ns)
 	}
 
 	return &filesystem{
@@ -185,7 +193,7 @@ func NewFilesystem(root string, cfg config.Config, opts ...Option) (_ snapshot.F
 		backgroundTaskManager: tm,
 		allowNoVerification:   cfg.AllowNoVerification,
 		disableVerification:   cfg.DisableVerification,
-		metricsController:     c,
+		metricsController:     metricsCtr,
 		attrTimeout:           attrTimeout,
 		entryTimeout:          entryTimeout,
 	}, nil
 
@@ -0,0 +1,58 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+syntax = "proto3";
+
+option go_package = "github.com/stargz-snapshotter/fusemanager/api";
+
+package fusemanager;
+
+service StargzFuseManagerService {
+    rpc Status (StatusRequest) returns (StatusResponse);
+    rpc Init (InitRequest) returns (Response);
+    rpc Mount (MountRequest) returns (Response);
+    rpc Check (CheckRequest) returns (Response);
+    rpc Unmount (UnmountRequest) returns (Response);
+}
+
+message StatusRequest {
+}
+
+message InitRequest {
+    string root = 1;
+    bytes config = 2;
+}
+
+message MountRequest {
+    string mountpoint = 1;
+    map<string, string> labels = 2;
+}
+
+message CheckRequest {
+    string mountpoint = 1;
+    map<string, string> labels = 2;
+}
+
+message UnmountRequest {
+    string mountpoint = 1;
+}
+
+message StatusResponse {
+    int32 status = 1;
+}
+
+message Response {
+}
@@ -0,0 +1,19 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package api
+
+//go:generate protoc --gogo_out=paths=source_relative,plugins=grpc:. api.proto
@@ -0,0 +1,141 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package fusemanager
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+
+	"github.com/containerd/containerd/v2/defaults"
+	"github.com/containerd/containerd/v2/pkg/dialer"
+	"github.com/containerd/log"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/backoff"
+	"google.golang.org/grpc/credentials/insecure"
+
+	pb "github.com/containerd/stargz-snapshotter/fusemanager/api"
+	"github.com/containerd/stargz-snapshotter/snapshot"
+)
+
+type Client struct {
+	client pb.StargzFuseManagerServiceClient
+}
+
+func NewManagerClient(ctx context.Context, root, socket string, config *Config) (snapshot.FileSystem, error) {
+	grpcCli, err := newClient(socket)
+	if err != nil {
+		return nil, err
+	}
+
+	client := &Client{
+		client: grpcCli,
+	}
+
+	err = client.init(ctx, root, config)
+	if err != nil {
+		return nil, err
+	}
+
+	return client, nil
+}
+
+func newClient(socket string) (pb.StargzFuseManagerServiceClient, error) {
+	connParams := grpc.ConnectParams{
+		Backoff: backoff.DefaultConfig,
+	}
+	gopts := []grpc.DialOption{
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithConnectParams(connParams),
+		grpc.WithContextDialer(dialer.ContextDialer),
+		grpc.WithDefaultCallOptions(
+			grpc.MaxCallRecvMsgSize(defaults.DefaultMaxRecvMsgSize),
+			grpc.MaxCallSendMsgSize(defaults.DefaultMaxSendMsgSize),
+		),
+	}
+
+	conn, err := grpc.NewClient(fmt.Sprintf("unix://%s", socket), gopts...)
+	if err != nil {
+		return nil, err
+	}
+
+	return pb.NewStargzFuseManagerServiceClient(conn), nil
+}
+
+func (cli *Client) init(ctx context.Context, root string, config *Config) error {
+	configBytes, err := json.Marshal(config)
+	if err != nil {
+		return err
+	}
+
+	req := &pb.InitRequest{
+		Root:   root,
+		Config: configBytes,
+	}
+
+	_, err = cli.client.Init(ctx, req)
+	if err != nil {
+		log.G(ctx).WithError(err).Errorf("failed to call Init")
+		return err
+	}
+
+	return nil
+}
+
+func (cli *Client) Mount(ctx context.Context, mountpoint string, labels map[string]string) error {
+	req := &pb.MountRequest{
+		Mountpoint: mountpoint,
+		Labels:     labels,
+	}
+
+	_, err := cli.client.Mount(ctx, req)
+	if err != nil {
+		log.G(ctx).WithError(err).Errorf("failed to call Mount")
+		return err
+	}
+
+	return nil
+}
+
+func (cli *Client) Check(ctx context.Context, mountpoint string, labels map[string]string) error {
+	req := &pb.CheckRequest{
+		Mountpoint: mountpoint,
+		Labels:     labels,
+	}
+
+	_, err := cli.client.Check(ctx, req)
+	if err != nil {
+		log.G(ctx).WithError(err).Errorf("failed to call Check")
+		return err
+	}
+
+	return nil
+}
+
+func (cli *Client) Unmount(ctx context.Context, mountpoint string) error {
+	req := &pb.UnmountRequest{
+		Mountpoint: mountpoint,
+	}
+
+	_, err := cli.client.Unmount(ctx, req)
+	if err != nil {
+		log.G(ctx).WithError(err).Errorf("failed to call Unmount")
+		return err
+	}
+
+	return nil
+}
@@ -0,0 +1,255 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package fusemanager
+
+import (
+	"context"
+	"flag"
+	"fmt"
+	golog "log"
+	"net"
+	"os"
+	"os/exec"
+	"os/signal"
+	"path/filepath"
+	"syscall"
+
+	"github.com/containerd/log"
+	"github.com/sirupsen/logrus"
+	"golang.org/x/sys/unix"
+	"google.golang.org/grpc"
+
+	pb "github.com/containerd/stargz-snapshotter/fusemanager/api"
+	"github.com/containerd/stargz-snapshotter/version"
+)
+
+var (
+	debugFlag     bool
+	versionFlag   bool
+	fuseStoreAddr string
+	address       string
+	logLevel      string
+	logPath       string
+	action        string
+)
+
+func parseFlags() {
+	flag.BoolVar(&debugFlag, "debug", false, "enable debug output in logs")
+	flag.BoolVar(&versionFlag, "v", false, "show the fusemanager version and exit")
+	flag.StringVar(&action, "action", "", "action of fusemanager")
+	flag.StringVar(&fuseStoreAddr, "fusestore-path", "/var/lib/containerd-stargz-grpc/fusestore.db", "address for the fusemanager's store")
+	flag.StringVar(&address, "address", "/run/containerd-stargz-grpc/fuse-manager.sock", "address for the fusemanager's gRPC socket")
+	flag.StringVar(&logLevel, "log-level", logrus.InfoLevel.String(), "set the logging level [trace, debug, info, warn, error, fatal, panic]")
+	flag.StringVar(&logPath, "log-path", "", "path to fusemanager's logs, no log recorded if empty")
+
+	flag.Parse()
+}
+
+func Run() {
+	if err := run(); err != nil {
+		fmt.Fprintf(os.Stderr, "failed to run fusemanager: %v", err)
+		os.Exit(1)
+	}
+}
+
+func run() error {
+	parseFlags()
+	if versionFlag {
+		fmt.Printf("%s:\n", os.Args[0])
+		fmt.Println("  Version: ", version.Version)
+		fmt.Println("  Revision:", version.Revision)
+		fmt.Println("")
+		return nil
+	}
+
+	if fuseStoreAddr == "" || address == "" {
+		return fmt.Errorf("fusemanager fusestore and socket path cannot be empty")
+	}
+
+	ctx := log.WithLogger(context.Background(), log.L)
+
+	switch action {
+	case "start":
+		return startNew(ctx, logPath, address, fuseStoreAddr, logLevel)
+	default:
+		return runFuseManager(ctx)
+	}
+}
+
+func startNew(ctx context.Context, logPath, address, fusestore, logLevel string) error {
+	self, err := os.Executable()
+	if err != nil {
+		return err
+	}
+
+	cwd, err := os.Getwd()
+	if err != nil {
+		return err
+	}
+
+	args := []string{
+		"-address", address,
+		"-fusestore-path", fusestore,
+		"-log-level", logLevel,
+	}
+
+	// we use shim-like approach to start new fusemanager process by self-invoking in the background
+	// and detach it from parent
+	cmd := exec.CommandContext(ctx, self, args...)
+	cmd.Dir = cwd
+	cmd.SysProcAttr = &syscall.SysProcAttr{
+		Setpgid: true,
+	}
+
+	if logPath != "" {
+		err := os.Remove(logPath)
+		if err != nil && !os.IsNotExist(err) {
+			return err
+		}
+		file, err := os.Create(logPath)
+		if err != nil {
+			return err
+		}
+		cmd.Stdout = file
+		cmd.Stderr = file
+	}
+
+	if err := cmd.Start(); err != nil {
+		return err
+	}
+	go cmd.Wait()
+
+	if ready, err := waitUntilReady(ctx); err != nil || !ready {
+		if err != nil {
+			return fmt.Errorf("failed to start new fusemanager: %w", err)
+		}
+		if !ready {
+			return fmt.Errorf("failed to start new fusemanager, fusemanager not ready")
+		}
+	}
+
+	return nil
+}
+
+// waitUntilReady waits until fusemanager is ready to accept requests
+func waitUntilReady(ctx context.Context) (bool, error) {
+	grpcCli, err := newClient(address)
+	if err != nil {
+		return false, err
+	}
+
+	resp, err := grpcCli.Status(ctx, &pb.StatusRequest{})
+	if err != nil {
+		log.G(ctx).WithError(err).Errorf("failed to call Status")
+		return false, err
+	}
+
+	if resp.Status == FuseManagerNotReady {
+		return false, nil
+	}
+
+	return true, nil
+}
+
+func runFuseManager(ctx context.Context) error {
+	lvl, err := logrus.ParseLevel(logLevel)
+	if err != nil {
+		return fmt.Errorf("failed to prepare logger: %w", err)
+	}
+
+	logrus.SetLevel(lvl)
+	logrus.SetFormatter(&logrus.JSONFormatter{
+		TimestampFormat: log.RFC3339NanoFixed,
+	})
+
+	golog.SetOutput(log.G(ctx).WriterLevel(logrus.DebugLevel))
+
+	// Prepare the directory for the socket
+	if err := os.MkdirAll(filepath.Dir(address), 0700); err != nil {
+		return fmt.Errorf("failed to create directory %s: %w", filepath.Dir(address), err)
+	}
+
+	// Try to remove the socket file to avoid EADDRINUSE
+	if err := os.Remove(address); err != nil && !os.IsNotExist(err) {
+		return fmt.Errorf("failed to remove old socket file: %w", err)
+	}
+
+	l, err := net.Listen("unix", address)
+	if err != nil {
+		return fmt.Errorf("failed to listen socket: %w", err)
+	}
+
+	server := grpc.NewServer()
+	fm, err := NewFuseManager(ctx, l, server, fuseStoreAddr)
+	if err != nil {
+		return fmt.Errorf("failed to configure manager server: %w", err)
+	}
+
+	pb.RegisterStargzFuseManagerServiceServer(server, fm)
+
+	sigCh := make(chan os.Signal, 1)
+	signal.Notify(sigCh, unix.SIGINT, unix.SIGTERM)
+	go func() {
+		sig := <-sigCh
+		log.G(ctx).Infof("Got %v", sig)
+		fm.server.Stop()
+		os.Remove(address)
+	}()
+
+	if err = server.Serve(l); err != nil {
+		return fmt.Errorf("failed to serve fuse manager: %w", err)
+	}
+
+	if err = fm.Close(ctx); err != nil {
+		return fmt.Errorf("failed to close fuse manager: %w", err)
+	}
+
+	return nil
+}
+
+func StartFuseManager(ctx context.Context, executable, address, fusestore, logLevel, logPath string) error {
+	// if socket exists, do not start it
+	if _, err := os.Stat(address); err == nil {
+		return nil
+	} else if !os.IsNotExist(err) {
+		return err
+	}
+
+	if _, err := os.Stat(executable); err != nil {
+		log.G(ctx).WithError(err).Errorf("failed to stat fusemanager binary: %s", executable)
+		return err
+	}
+
+	args := []string{
+		"-action", "start",
+		"-address", address,
+		"-fusestore-path", fusestore,
+		"-log-level", logLevel,
+		"-log-path", logPath,
+	}
+
+	cmd := exec.Command(executable, args...)
+	if err := cmd.Start(); err != nil {
+		return err
+	}
+
+	if err := cmd.Wait(); err != nil {
+		return err
+	}
+
+	return nil
+}
@@ -0,0 +1,99 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package fusemanager
+
+import (
+	"context"
+	"encoding/json"
+
+	bolt "go.etcd.io/bbolt"
+
+	"github.com/containerd/stargz-snapshotter/service"
+)
+
+var (
+	fuseInfoBucket = []byte("fuse-info-bucket")
+)
+
+type fuseInfo struct {
+	Root       string
+	Mountpoint string
+	Labels     map[string]string
+	Config     service.Config
+}
+
+func (fm *Server) storeFuseInfo(fuseInfo *fuseInfo) error {
+	return fm.ms.Update(func(tx *bolt.Tx) error {
+		bucket, err := tx.CreateBucketIfNotExists(fuseInfoBucket)
+		if err != nil {
+			return err
+		}
+
+		key := []byte(fuseInfo.Mountpoint)
+
+		val, err := json.Marshal(fuseInfo)
+		if err != nil {
+			return err
+		}
+
+		err = bucket.Put(key, val)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	})
+}
+
+func (fm *Server) removeFuseInfo(fuseInfo *fuseInfo) error {
+	return fm.ms.Update(func(tx *bolt.Tx) error {
+		bucket, err := tx.CreateBucketIfNotExists(fuseInfoBucket)
+		if err != nil {
+			return err
+		}
+
+		key := []byte(fuseInfo.Mountpoint)
+
+		err = bucket.Delete(key)
+		if err != nil {
+			return err
+		}
+
+		return nil
+	})
+}
+
+// restoreFuseInfo restores fuseInfo when Init is called, it will skip mounted
+// layers whose mountpoint can be found in fsMap
+func (fm *Server) restoreFuseInfo(ctx context.Context) error {
+	return fm.ms.View(func(tx *bolt.Tx) error {
+		bucket := tx.Bucket(fuseInfoBucket)
+		if bucket == nil {
+			return nil
+		}
+
+		return bucket.ForEach(func(_, v []byte) error {
+			mi := &fuseInfo{}
+			err := json.Unmarshal(v, mi)
+			if err != nil {
+				return err
+			}
+
+			return fm.mount(ctx, mi.Mountpoint, mi.Labels)
+		})
+	})
+}
@@ -0,0 +1,308 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package fusemanager
+
+import (
+	"context"
+	"encoding/json"
+	"fmt"
+	"net"
+	"os"
+	"path/filepath"
+	"sync"
+	"time"
+
+	"github.com/containerd/log"
+	"github.com/moby/sys/mountinfo"
+	bolt "go.etcd.io/bbolt"
+	"google.golang.org/grpc"
+
+	pb "github.com/containerd/stargz-snapshotter/fusemanager/api"
+	"github.com/containerd/stargz-snapshotter/service"
+	"github.com/containerd/stargz-snapshotter/snapshot"
+)
+
+const (
+	FuseManagerNotReady = iota
+	FuseManagerWaitInit
+	FuseManagerReady
+)
+
+type Config struct {
+	Config                     *service.Config
+	IPFS                       bool   `toml:"ipfs"`
+	MetadataStore              string `toml:"metadata_store" default:"memory"`
+	DefaultImageServiceAddress string `json:"default_image_service_address"`
+}
+
+type ConfigContext struct {
+	Ctx     context.Context
+	Config  *Config
+	RootDir string
+	Server  *grpc.Server
+}
+
+var (
+	configFuncs []ConfigFunc
+	configMu    sync.Mutex
+)
+
+type ConfigFunc func(cc *ConfigContext) ([]service.Option, error)
+
+func RegisterConfigFunc(f ConfigFunc) {
+	configMu.Lock()
+	defer configMu.Unlock()
+	configFuncs = append(configFuncs, f)
+}
+
+type Server struct {
+	pb.UnimplementedStargzFuseManagerServiceServer
+
+	lock   sync.RWMutex
+	status int32
+
+	listener net.Listener
+	server   *grpc.Server
+
+	// root is the latest root passed from containerd-stargz-grpc
+	root string
+	// config is the latest config passed from containerd-stargz-grpc
+	config *Config
+	// fsMap maps mountpoint to its filesystem instance to ensure Mount/Check/Unmount
+	// call the proper filesystem
+	fsMap sync.Map
+	// curFs is filesystem created by latest config
+	curFs snapshot.FileSystem
+	ms    *bolt.DB
+
+	fuseStoreAddr string
+}
+
+func NewFuseManager(ctx context.Context, listener net.Listener, server *grpc.Server, fuseStoreAddr string) (*Server, error) {
+	if err := os.MkdirAll(filepath.Dir(fuseStoreAddr), 0700); err != nil {
+		return nil, fmt.Errorf("failed to create directory %q: %w", filepath.Dir(fuseStoreAddr), err)
+	}
+
+	db, err := bolt.Open(fuseStoreAddr, 0666, &bolt.Options{Timeout: 10 * time.Second, ReadOnly: false})
+	if err != nil {
+		return nil, fmt.Errorf("failed to configure fusestore: %w", err)
+	}
+
+	fm := &Server{
+		status:        FuseManagerWaitInit,
+		lock:          sync.RWMutex{},
+		fsMap:         sync.Map{},
+		ms:            db,
+		listener:      listener,
+		server:        server,
+		fuseStoreAddr: fuseStoreAddr,
+	}
+
+	return fm, nil
+}
+
+func (fm *Server) Status(ctx context.Context, _ *pb.StatusRequest) (*pb.StatusResponse, error) {
+	fm.lock.RLock()
+	defer fm.lock.RUnlock()
+
+	return &pb.StatusResponse{
+		Status: fm.status,
+	}, nil
+}
+
+func (fm *Server) Init(ctx context.Context, req *pb.InitRequest) (*pb.Response, error) {
+	fm.lock.Lock()
+	fm.status = FuseManagerWaitInit
+	defer func() {
+		fm.status = FuseManagerReady
+		fm.lock.Unlock()
+	}()
+
+	ctx = log.WithLogger(ctx, log.G(ctx))
+
+	config := &Config{}
+	err := json.Unmarshal(req.Config, config)
+	if err != nil {
+		log.G(ctx).WithError(err).Errorf("failed to get config")
+		return &pb.Response{}, err
+	}
+	fm.root = req.Root
+	fm.config = config
+
+	cc := &ConfigContext{
+		Ctx:     ctx,
+		Config:  fm.config,
+		RootDir: fm.root,
+		Server:  fm.server,
+	}
+
+	var opts []service.Option
+	for _, configFunc := range configFuncs {
+		funcOpts, err := configFunc(cc)
+		if err != nil {
+			log.G(ctx).WithError(err).Errorf("failed to apply config function")
+			return &pb.Response{}, err
+		}
+		opts = append(opts, funcOpts...)
+	}
+
+	fs, err := service.NewFileSystem(ctx, fm.root, fm.config.Config, opts...)
+	if err != nil {
+		return &pb.Response{}, err
+	}
+	fm.curFs = fs
+
+	err = fm.restoreFuseInfo(ctx)
+	if err != nil {
+		log.G(ctx).WithError(err).Errorf("failed to restore fuse info")
+		return &pb.Response{}, err
+	}
+
+	return &pb.Response{}, nil
+}
+
+func (fm *Server) Mount(ctx context.Context, req *pb.MountRequest) (*pb.Response, error) {
+	fm.lock.RLock()
+	defer fm.lock.RUnlock()
+	if fm.status != FuseManagerReady {
+		return &pb.Response{}, fmt.Errorf("fuse manager not ready")
+	}
+
+	ctx = log.WithLogger(ctx, log.G(ctx).WithField("mountpoint", req.Mountpoint))
+
+	err := fm.mount(ctx, req.Mountpoint, req.Labels)
+	if err != nil {
+		log.G(ctx).WithError(err).Errorf("failed to mount stargz")
+		return &pb.Response{}, err
+	}
+
+	fm.storeFuseInfo(&fuseInfo{
+		Root:       fm.root,
+		Mountpoint: req.Mountpoint,
+		Labels:     req.Labels,
+		Config:     *fm.config.Config,
+	})
+
+	return &pb.Response{}, nil
+}
+
+func (fm *Server) Check(ctx context.Context, req *pb.CheckRequest) (*pb.Response, error) {
+	fm.lock.RLock()
+	defer fm.lock.RUnlock()
+	if fm.status != FuseManagerReady {
+		return &pb.Response{}, fmt.Errorf("fuse manager not ready")
+	}
+
+	ctx = log.WithLogger(ctx, log.G(ctx).WithField("mountpoint", req.Mountpoint))
+
+	obj, found := fm.fsMap.Load(req.Mountpoint)
+	if !found {
+		err := fmt.Errorf("failed to find filesystem of mountpoint %s", req.Mountpoint)
+		log.G(ctx).WithError(err).Errorf("failed to check filesystem")
+		return &pb.Response{}, err
+	}
+
+	fs := obj.(snapshot.FileSystem)
+	err := fs.Check(ctx, req.Mountpoint, req.Labels)
+	if err != nil {
+		log.G(ctx).WithError(err).Errorf("failed to check filesystem")
+		return &pb.Response{}, err
+	}
+
+	return &pb.Response{}, nil
+}
+
+func (fm *Server) Unmount(ctx context.Context, req *pb.UnmountRequest) (*pb.Response, error) {
+	fm.lock.RLock()
+	defer fm.lock.RUnlock()
+	if fm.status != FuseManagerReady {
+		return &pb.Response{}, fmt.Errorf("fuse manager not ready")
+	}
+
+	ctx = log.WithLogger(ctx, log.G(ctx).WithField("mountpoint", req.Mountpoint))
+
+	obj, found := fm.fsMap.Load(req.Mountpoint)
+	if !found {
+		// check whether already unmounted
+		mounts, err := mountinfo.GetMounts(func(info *mountinfo.Info) (skip, stop bool) {
+			if info.Mountpoint == req.Mountpoint {
+				return false, true
+			}
+			return true, false
+		})
+		if err != nil {
+			log.G(ctx).WithError(err).Errorf("failed to get mount info")
+			return &pb.Response{}, err
+		}
+
+		if len(mounts) <= 0 {
+			return &pb.Response{}, nil
+		}
+		err = fmt.Errorf("failed to find filesystem of mountpoint %s", req.Mountpoint)
+		log.G(ctx).WithError(err).Errorf("failed to unmount filesystem")
+		return &pb.Response{}, err
+	}
+
+	fs := obj.(snapshot.FileSystem)
+	err := fs.Unmount(ctx, req.Mountpoint)
+	if err != nil {
+		log.G(ctx).WithError(err).Errorf("failed to unmount filesystem")
+		return &pb.Response{}, err
+	}
+
+	fm.fsMap.Delete(req.Mountpoint)
+	fm.removeFuseInfo(&fuseInfo{
+		Mountpoint: req.Mountpoint,
+	})
+
+	return &pb.Response{}, nil
+}
+
+func (fm *Server) Close(ctx context.Context) error {
+	fm.lock.Lock()
+	defer fm.lock.Unlock()
+	fm.status = FuseManagerNotReady
+
+	err := fm.ms.Close()
+	if err != nil {
+		log.G(ctx).WithError(err).Errorf("failed to close fusestore")
+		return err
+	}
+
+	if err := os.Remove(fm.fuseStoreAddr); err != nil {
+		log.G(ctx).WithError(err).Errorf("failed to remove fusestore file %s", fm.fuseStoreAddr)
+		return err
+	}
+
+	return nil
+}
+
+func (fm *Server) mount(ctx context.Context, mountpoint string, labels map[string]string) error {
+	// mountpoint in fsMap means layer is already mounted, skip it
+	if _, found := fm.fsMap.Load(mountpoint); found {
+		return nil
+	}
+
+	err := fm.curFs.Mount(ctx, mountpoint, labels)
+	if err != nil {
+		log.G(ctx).WithError(err).Errorf("failed to mount stargz")
+		return err
+	}
+
+	fm.fsMap.Store(mountpoint, fm.curFs)
+	return nil
+}
@@ -26,6 +26,8 @@ require (
 	github.com/opencontainers/runtime-spec v1.2.0
 	github.com/prometheus/client_golang v1.20.5
 	github.com/rs/xid v1.6.0
+	github.com/sirupsen/logrus v1.9.3
+	go.etcd.io/bbolt v1.3.11
 	golang.org/x/sync v0.9.0
 	golang.org/x/sys v0.26.0
 	google.golang.org/grpc v1.68.0
@@ -90,15 +92,13 @@ require (
 	github.com/prometheus/common v0.55.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/russross/blackfriday/v2 v2.1.0 // indirect
-	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/stretchr/testify v1.9.0 // indirect
 	github.com/syndtr/gocapability v0.0.0-20200815063812-42c35b437635 // indirect
 	github.com/urfave/cli/v2 v2.27.5 // indirect
 	github.com/vbatts/tar-split v0.11.6 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
 	github.com/xrash/smetrics v0.0.0-20240521201337-686a1a2994c1 // indirect
-	go.etcd.io/bbolt v1.3.11 // indirect
 	go.opencensus.io v0.24.0 // indirect
 	go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp v0.56.0 // indirect
 	go.opentelemetry.io/otel v1.31.0 // indirect
 
@@ -0,0 +1,88 @@
+/*
+   Copyright The containerd Authors.
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.
+*/
+
+package keychainconfig
+
+import (
+	"context"
+	"time"
+
+	"github.com/containerd/containerd/v2/defaults"
+	"github.com/containerd/containerd/v2/pkg/dialer"
+	"github.com/containerd/stargz-snapshotter/service/keychain/cri"
+	"github.com/containerd/stargz-snapshotter/service/keychain/dockerconfig"
+	"github.com/containerd/stargz-snapshotter/service/keychain/kubeconfig"
+	"github.com/containerd/stargz-snapshotter/service/resolver"
+	"google.golang.org/grpc"
+	"google.golang.org/grpc/backoff"
+	"google.golang.org/grpc/credentials/insecure"
+	runtime "k8s.io/cri-api/pkg/apis/runtime/v1"
+)
+
+type Config struct {
+	EnableKubeKeychain         bool
+	EnableCRIKeychain          bool
+	KubeconfigPath             string
+	DefaultImageServiceAddress string
+	ImageServicePath           string
+}
+
+func ConfigKeychain(ctx context.Context, rpc *grpc.Server, config *Config) ([]resolver.Credential, error) {
+	credsFuncs := []resolver.Credential{dockerconfig.NewDockerconfigKeychain(ctx)}
+	if config.EnableKubeKeychain {
+		var opts []kubeconfig.Option
+		if kcp := config.KubeconfigPath; kcp != "" {
+			opts = append(opts, kubeconfig.WithKubeconfigPath(kcp))
+		}
+		credsFuncs = append(credsFuncs, kubeconfig.NewKubeconfigKeychain(ctx, opts...))
+	}
+	if config.EnableCRIKeychain {
+		// connects to the backend CRI service (defaults to containerd socket)
+		criAddr := config.DefaultImageServiceAddress
+		if cp := config.ImageServicePath; cp != "" {
+			criAddr = cp
+		}
+		connectCRI := func() (runtime.ImageServiceClient, error) {
+			conn, err := newCRIConn(criAddr)
+			if err != nil {
+				return nil, err
+			}
+			return runtime.NewImageServiceClient(conn), nil
+		}
+		f, criServer := cri.NewCRIKeychain(ctx, connectCRI)
+		runtime.RegisterImageServiceServer(rpc, criServer)
+		credsFuncs = append(credsFuncs, f)
+	}
+
+	return credsFuncs, nil
+}
+
+func newCRIConn(criAddr string) (*grpc.ClientConn, error) {
+	// TODO: make gRPC options configurable from config.toml
+	backoffConfig := backoff.DefaultConfig
+	backoffConfig.MaxDelay = 3 * time.Second
+	connParams := grpc.ConnectParams{
+		Backoff: backoffConfig,
+	}
+	gopts := []grpc.DialOption{
+		grpc.WithTransportCredentials(insecure.NewCredentials()),
+		grpc.WithConnectParams(connParams),
+		grpc.WithContextDialer(dialer.ContextDialer),
+		grpc.WithDefaultCallOptions(grpc.MaxCallRecvMsgSize(defaults.DefaultMaxRecvMsgSize)),
+		grpc.WithDefaultCallOptions(grpc.MaxCallSendMsgSize(defaults.DefaultMaxSendMsgSize)),
+	}
+	return grpc.NewClient(dialer.DialAddress(criAddr), gopts...)
+}
@@ -18,6 +18,7 @@ package service
 
 import (
 	"context"
+	"fmt"
 	"path/filepath"
 
 	"github.com/containerd/containerd/v2/core/snapshots"
@@ -30,6 +31,7 @@ import (
 	"github.com/containerd/stargz-snapshotter/metadata"
 	esgzexternaltoc "github.com/containerd/stargz-snapshotter/nativeconverter/estargz/externaltoc"
 	"github.com/containerd/stargz-snapshotter/service/resolver"
+	"github.com/containerd/stargz-snapshotter/snapshot"
 	snbase "github.com/containerd/stargz-snapshotter/snapshot"
 	"github.com/hashicorp/go-multierror"
 	ocispec "github.com/opencontainers/image-spec/specs-go/v1"
@@ -66,6 +68,27 @@ func WithFilesystemOptions(opts ...stargzfs.Option) Option {
 
 // NewStargzSnapshotterService returns stargz snapshotter.
 func NewStargzSnapshotterService(ctx context.Context, root string, config *Config, opts ...Option) (snapshots.Snapshotter, error) {
+	fs, err := NewFileSystem(ctx, root, config, opts...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to configure filesystem: %w", err)
+	}
+
+	var snapshotter snapshots.Snapshotter
+
+	snOpts := []snbase.Opt{snbase.AsynchronousRemove}
+	if config.SnapshotterConfig.AllowInvalidMountsOnRestart {
+		snOpts = append(snOpts, snbase.AllowInvalidMountsOnRestart)
+	}
+
+	snapshotter, err = snbase.NewSnapshotter(ctx, snapshotterRoot(root), fs, snOpts...)
+	if err != nil {
+		return nil, fmt.Errorf("failed to create new snapshotter: %w", err)
+	}
+
+	return snapshotter, nil
+}
+
+func NewFileSystem(ctx context.Context, root string, config *Config, opts ...Option) (snapshot.FileSystem, error) {
 	var sOpts options
 	for _, o := range opts {
 		o(&sOpts)
@@ -97,22 +120,10 @@ func NewStargzSnapshotterService(ctx context.Context, root string, config *Confi
 	)
 	fs, err := stargzfs.NewFilesystem(fsRoot(root), config.Config, fsOpts...)
 	if err != nil {
-		log.G(ctx).WithError(err).Fatalf("failed to configure filesystem")
-	}
-
-	var snapshotter snapshots.Snapshotter
-
-	snOpts := []snbase.Opt{snbase.AsynchronousRemove}
-	if config.SnapshotterConfig.AllowInvalidMountsOnRestart {
-		snOpts = append(snOpts, snbase.AllowInvalidMountsOnRestart)
-	}
-
-	snapshotter, err = snbase.NewSnapshotter(ctx, snapshotterRoot(root), fs, snOpts...)
-	if err != nil {
-		log.G(ctx).WithError(err).Fatalf("failed to create new snapshotter")
+		return nil, err
 	}
 
-	return snapshotter, err
+	return fs, nil
 }
 
 func snapshotterRoot(root string) string {