Use containerd GC for image-fetcher cleanup

Mark unpacked pulled layers as GC-eligible during VHD image preloading and trigger a single synchronous containerd GC after the preload batch. This avoids scanning all images per pull while preserving fetch-only image blobs.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: awesomenix

image-fetcher/main.go

@@ -5,8 +5,11 @@ import (
 	"fmt"
 	"os"
 	"runtime"
+	"time"
 
 	containerd "github.com/containerd/containerd/v2/client"
+	"github.com/containerd/containerd/v2/core/images"
+	"github.com/containerd/containerd/v2/core/leases"
 	"github.com/containerd/containerd/v2/pkg/namespaces"
 	"github.com/containerd/platforms"
 )
@@ -23,6 +26,7 @@ const (
 func main() {
 	if len(os.Args) < 2 {
 		fmt.Fprintf(os.Stderr, "Usage: %s <image-ref> [image-ref...]\n", os.Args[0])
+		fmt.Fprintf(os.Stderr, "       %s --gc\n", os.Args[0])
 		fmt.Fprintf(os.Stderr, "Example: %s mcr.microsoft.com/oss/kubernetes/pause:3.9\n", os.Args[0])
 		os.Exit(1)
 	}
@@ -45,6 +49,15 @@ func main() {
 
 	ctx := namespaces.WithNamespace(context.Background(), ns)
 
+	if len(os.Args) == 2 && os.Args[1] == "--gc" {
+		if err := triggerGarbageCollection(ctx, client); err != nil {
+			fmt.Fprintf(os.Stderr, "Failed to trigger containerd GC: %v\n", err)
+			os.Exit(1)
+		}
+		fmt.Println("Triggered containerd GC")
+		return
+	}
+
 	failed := 0
 	for _, ref := range os.Args[1:] {
 		if err := fetchImage(ctx, client, ref); err != nil {
@@ -103,10 +116,13 @@ func fetchImage(ctx context.Context, client *containerd.Client, ref string) erro
 	if size < pullSizeThreshold {
 		// We use pull here instead of use unpack because some runtimes (e.g. containerd-shim-runsc-v1),
 		// require pull to trigger unpacking into the correct snapshotter based on the image's platform.
-		if _, err := client.Pull(ctx, ref,
+		pullOpts := []containerd.RemoteOpt{
 			containerd.WithPlatformMatcher(platformMatcher),
 			containerd.WithPullUnpack,
-		); err != nil {
+			containerd.WithChildLabelMap(images.ChildGCLabelsFilterLayers),
+		}
+
+		if _, err := client.Pull(ctx, ref, pullOpts...); err != nil {
 			return fmt.Errorf("pull failed: %w", err)
 		}
 		fmt.Printf("OK    %s -> %s (pulled, %s)\n", imageMeta.Name, imageMeta.Target.Digest, formatSize(size))
@@ -117,6 +133,15 @@ func fetchImage(ctx context.Context, client *containerd.Client, ref string) erro
 	return nil
 }
 
+func triggerGarbageCollection(ctx context.Context, client *containerd.Client) error {
+	ls := client.LeasesService()
+	l, err := ls.Create(ctx, leases.WithRandomID(), leases.WithExpiration(time.Hour))
+	if err != nil {
+		return err
+	}
+	return ls.Delete(ctx, l, leases.SynchronousDelete)
+}
+
 func formatSize(bytes int64) string {
 	const (
 		mib = 1024 * 1024

vhdbuilder/packer/install-dependencies.sh

@@ -699,6 +699,7 @@ while IFS= read -r imageToBePulled; do
 done <<< "$ContainerImages"
 echo "Waiting for container image pulls to finish. PID: ${image_pids[@]}"
 wait ${image_pids[@]}
+/opt/azure/containers/image-fetcher --gc
 capture_benchmark "${SCRIPT_NAME}_caching_container_images"
 
 retagAKSNodeCAWatcher() {