atime is touched in containerd snapshotter

[mzihlmann]

Contributing guidelines and issue reporting guide

• I've read the contributing guidelines and wholeheartedly agree. I've also read the issue reporting guide.

Well-formed report checklist

• I have found a bug that the documentation does not mention anything about my problem
• I have found a bug that there are no open or closed issues that are related to my problem
• I have provided version/information about my environment and done my best to provide a reproducer

Description of bug

Bug description

When running with containerd snapshotter, the snapshotting process itself will pollute the atime of folders. This does not happen with legacy snapshotter.

Reproduction

configure containerd snapshotter

{
    "features": {
        "containerd-snapshotter": true
    }
}

FROM debian:12.10 AS first-image

RUN mkdir -p /tmp/testdir \
    && echo "hello" > /tmp/testdir/file.txt \
    && touch -d '2000-01-01' /tmp/testdir \
    && touch -d '2000-01-01' /tmp/testdir/file.txt

RUN stat /tmp/testdir \
    && stat /tmp/testdir/file.txt

Note that the atime on the folder was modified

0.219   File: /tmp/testdir                                                                                                                                                           
0.219   Size: 4096              Blocks: 8          IO Block: 4096   directory                                                                                                        
0.219 Device: 0,70      Inode: 58989944    Links: 2                                                                                                                                  
0.219 Access: (0755/drwxr-xr-x)  Uid: (    0/    root)   Gid: (    0/    root)
0.219 Access: 2026-04-02 21:45:55.748062183 +0000
0.219 Modify: 2000-01-01 00:00:00.000000000 +0000
0.219 Change: 2026-04-02 21:45:55.719062009 +0000
0.219  Birth: 2026-04-02 21:45:55.716061991 +0000
0.220   File: /tmp/testdir/file.txt
0.220   Size: 6                 Blocks: 8          IO Block: 4096   regular file
0.220 Device: 0,70      Inode: 58989945    Links: 1
0.220 Access: (0644/-rw-r--r--)  Uid: (    0/    root)   Gid: (    0/    root)
0.220 Access: 2000-01-01 00:00:00.000000000 +0000
0.220 Modify: 2000-01-01 00:00:00.000000000 +0000
0.220 Change: 2026-04-02 21:45:55.720062014 +0000
0.220  Birth: 2026-04-02 21:45:55.717061996 +0000

Version information

Client: Docker Engine - Community
 Version:    29.3.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  v0.31.1
    Path:     /usr/libexec/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  v5.1.0
    Path:     /usr/libexec/docker/cli-plugins/docker-compose

Server:
 Containers: 179
  Running: 2
  Paused: 0
  Stopped: 177
 Images: 198
 Server Version: 29.3.0
 Storage Driver: overlayfs
  driver-type: io.containerd.snapshotter.v1
 Logging Driver: json-file
 Cgroup Driver: systemd
 Cgroup Version: 2
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local splunk syslog
 CDI spec directories:
  /etc/cdi
  /var/run/cdi
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 301b2dac98f15c27117da5c8af12118a041a31d9
 runc version: v1.3.4-0-gd6d73eb8
 init version: de40ad0
 Security Options:
  apparmor
  seccomp
   Profile: builtin
  cgroupns
 Kernel Version: 6.8.0-106-generic
 Operating System: Ubuntu 24.04.4 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 16
 Total Memory: 30.98GiB
 Name: Thinkpad
 ID: 7c2bb7a0-4944-4af1-bbd2-493b1172ce40
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Username: mzihlmann
 Experimental: false
 Insecure Registries:
  ::1/128
  127.0.0.0/8
 Live Restore Enabled: false
 Firewall Backend: iptables

Conversation in slack: https://dockercommunity.slack.com/archives/C7S7A40MP/p1775164398745019
associated PR in kaniko: https://github.com/osscontainertools/kaniko/pull/570/changes

[tonistiigi]

This is called by the DiskUsage call inside the overlay.Commit that performs a recursive walk. https://github.com/containerd/containerd/blob/v2.3.0-beta.0/plugins/snapshots/overlay/overlay.go#L305-L308

Probably more importantly than this issue, this is also a performance problem as the usage computations should be deferred until the usage value is actually needed, instead of pausing between build steps to compute that.

@dmcgowan