How Nydus Accelerates Container Image Delivery and Boosts Data Security

Challenge of Large Container Images

When container images grow to several gigabytes, downloading them to a node can take a long time, delaying container creation. Existing P2P distribution (e.g., Dragonfly) speeds up bulk transfer but still requires the full image to be present before a container can start, and data integrity remains a concern.

Introducing Nydus

Nydus is a container image acceleration service added to the Dragonfly project. It shortens image download time, provides end‑to‑end consistency checks, and has been deployed at scale internally before being open‑sourced.

Repository: https://github.com/dragonflyoss/image-service

Key Features

On‑demand image download – containers can start without the full image.

Block‑level deduplication – identical data slices are stored only once.

Only final usable data is retained – expired layers are not kept.

End‑to‑end data consistency verification.

Compatibility with OCI distribution and artifacts standards.

Support for multiple storage back‑ends (registry, NAS, S3‑compatible object stores).

Seamless integration with Dragonfly.

Architecture Overview

Nydus consists of a new image format and a FUSE‑based user‑space file‑system that parses container images. The service can serve images via FUSE or virtiofs, supporting both traditional runc containers and Kata containers. Image sources include container registries, OSS, NAS, and Dragonfly super‑nodes/peer nodes. A local cache can be configured to avoid repeated remote fetches.

Image Format Details

Nydus splits an OCI image into two layers:

Metadata layer : a self‑checking Merkle tree where each file or directory node carries a hash derived from its content.

Data layer : fixed‑size slices (chunks) that store the actual file data. Identical slices can be shared across files and even across different images.

Benefits for Users

Container startup becomes almost instantaneous; tests show common images launch in seconds instead of minutes.

Nydus streams data on demand and validates each access against the Merkle tree. If data is tampered, the service automatically re‑fetches the correct slice from the remote source, providing continuous integrity protection.

Future Roadmap

After a year of internal stabilization, security hardening, and usability improvements, the open‑source Nydus project will focus on broader cloud‑native ecosystem integration. The goal is to enable fast, secure container startup regardless of image size.

OCI Community Involvement

The Nydus team participates in OCI discussions on the next‑generation image format (OCIv2). Nydus satisfies all OCIv2 requirements and is proposed as a reference implementation for the upcoming standard.

FAQ

Q1: What problems exist with the current OCI image standard? The tar‑based format is considered outdated and unsuitable for container images, leading to inefficiencies and limited deduplication.

Q2: How does Nydus differ from CRFS? Both share a similar design, but Nydus adds block‑level deduplication and end‑to‑end consistency checks, extending the CRFS stargz format.

Q3: How does Nydus differ from Azure Teleport? Teleport relies on the legacy tar format and snapshotter‑based on‑demand download, while Nydus abandons tar entirely and uses a Merkle‑tree format with advanced features.

Q4: What happens if the network drops while a Nydus‑based container is running? Containers can start immediately because the image is not fully downloaded. If the network drops after startup, cached data remains usable; uncached data becomes unavailable until the network is restored.

OCIv2 Image Standard Requirements

Since June 2020 the OCI community defined a set of requirements for the next‑generation image format, including:

Less duplicate data

Reconstructable image format

Clearer filesystem metadata

Mountable filesystem format

Image content list

On‑demand data loading

Scalability

Checksums or repairability

Reduced upload size

Operation on untrusted storage

Nydus meets all of these requirements, making it a concrete implementation for community discussion.

Shared document link: https://hackmd.io/@cyphar/ociv2-brainstorm