Fix system df to count content blobs and deduplicate shared storage

Makefile

@@ -211,7 +211,8 @@ INTEGRATION_TEST_SUITES ?= \
 	TestCLIKernelSet \
 	TestCLIAnonymousVolumes \
 	TestCLINotFound \
-	TestCLINoParallelCases
+	TestCLINoParallelCases \
+	TestCLISystemDF
 
 empty :=
 space := $(empty) $(empty)

Sources/ContainerResource/Common/FileManager+AllocatedSize.swift

@@ -0,0 +1,47 @@
+//===----------------------------------------------------------------------===//
+// Copyright © 2026 Apple Inc. and the container project authors.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//   https://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//===----------------------------------------------------------------------===//
+
+import Foundation
+
+extension FileManager {
+    /// Total bytes allocated on disk for all files in a directory (recursive).
+    ///
+    /// Caveats: hidden files are skipped, symlinks to directories are not followed, but
+    /// symlinks-to-files and hard links each contribute their target's full allocation
+    /// so shared inodes are counted multiple times.
+    public func allocatedSize(of directory: URL) -> UInt64 {
+        guard
+            let enumerator = self.enumerator(
+                at: directory,
+                includingPropertiesForKeys: [.totalFileAllocatedSizeKey],
+                options: [.skipsHiddenFiles]
+            )
+        else {
+            return 0
+        }
+
+        var size: UInt64 = 0
+        for case let fileURL as URL in enumerator {
+            guard let resourceValues = try? fileURL.resourceValues(forKeys: [.totalFileAllocatedSizeKey]),
+                let fileSize = resourceValues.totalFileAllocatedSize
+            else {
+                continue
+            }
+            size += UInt64(fileSize)
+        }
+        return size
+    }
+}

Sources/Plugins/CoreImages/ImagesHelper.swift

@@ -98,7 +98,13 @@ extension ImagesHelper {
             let imageStore = try ImageStore(path: rootURL, contentStore: contentStore)
             let unpackStrategy = SnapshotStore.defaultUnpackStrategy(initImage: containerSystemConfig.vminit.image)
             let snapshotStore = try SnapshotStore(path: rootURL, unpackStrategy: unpackStrategy, log: log)
-            let service = try ImagesService(contentStore: contentStore, imageStore: imageStore, snapshotStore: snapshotStore, log: log)
+            let service = try ImagesService(
+                contentStore: contentStore,
+                contentStoreTotalSize: { try await contentStore.totalAllocatedSize() },
+                imageStore: imageStore,
+                snapshotStore: snapshotStore,
+                log: log
+            )
             let harness = ImagesServiceHarness(service: service, log: log)
 
             routes[ImagesServiceXPCRoute.imagePull.rawValue] = XPCServer.route(harness.pull)
@@ -124,6 +130,7 @@ extension ImagesHelper {
             routes[ImagesServiceXPCRoute.contentClean.rawValue] = XPCServer.route(harness.clean)
             routes[ImagesServiceXPCRoute.contentGet.rawValue] = XPCServer.route(harness.get)
             routes[ImagesServiceXPCRoute.contentDelete.rawValue] = XPCServer.route(harness.delete)
+            routes[ImagesServiceXPCRoute.contentSize.rawValue] = XPCServer.route(harness.totalSize)
             routes[ImagesServiceXPCRoute.contentIngestStart.rawValue] = XPCServer.route(harness.newIngestSession)
             routes[ImagesServiceXPCRoute.contentIngestCancel.rawValue] = XPCServer.route(harness.cancelIngestSession)
             routes[ImagesServiceXPCRoute.contentIngestComplete.rawValue] = XPCServer.route(harness.completeIngestSession)

Sources/Services/ContainerAPIService/Server/Containers/ContainersService.swift

@@ -216,7 +216,7 @@ public actor ContainersService {
 
             for (id, state) in await self.containers {
                 let bundlePath = self.containerRoot.appendingPathComponent(id)
-                let containerSize = Self.calculateDirectorySize(at: bundlePath.path)
+                let containerSize = FileManager.default.allocatedSize(of: bundlePath)
                 totalSize += containerSize
 
                 if state.snapshot.status == .running {
@@ -243,39 +243,6 @@ public actor ContainersService {
         }
     }
 
-    /// Calculate directory size using APFS-aware resource keys
-    /// - Parameter path: Path to directory
-    /// - Returns: Total allocated size in bytes
-    private static nonisolated func calculateDirectorySize(at path: String) -> UInt64 {
-        let url = URL(fileURLWithPath: path)
-        let fileManager = FileManager.default
-
-        guard
-            let enumerator = fileManager.enumerator(
-                at: url,
-                includingPropertiesForKeys: [.totalFileAllocatedSizeKey],
-                options: [.skipsHiddenFiles]
-            )
-        else {
-            return 0
-        }
-
-        var totalSize: UInt64 = 0
-        for case let fileURL as URL in enumerator {
-            guard
-                let resourceValues = try? fileURL.resourceValues(
-                    forKeys: [.totalFileAllocatedSizeKey]
-                ),
-                let fileSize = resourceValues.totalFileAllocatedSize
-            else {
-                continue
-            }
-            totalSize += UInt64(fileSize)
-        }
-
-        return totalSize
-    }
-
     /// Create a new container from the provided id and configuration.
     public func create(configuration: ContainerConfiguration, kernel: Kernel, options: ContainerCreateOptions, initImage: String? = nil, runtimeData: Data? = nil) async throws {
         log.debug(
@@ -900,7 +867,7 @@ public actor ContainersService {
 
         let containerPath = self.containerRoot.appendingPathComponent(id).path
 
-        return Self.calculateDirectorySize(at: containerPath)
+        return FileManager.default.allocatedSize(of: URL(fileURLWithPath: containerPath))
     }
 
     public func exportRootfs(id: String, archive: URL) async throws {

Sources/Services/ContainerAPIService/Server/Volumes/VolumesService.swift

@@ -158,7 +158,7 @@ public actor VolumesService {
         }
 
         let volumePath = self.volumePath(for: name)
-        return self.calculateDirectorySize(at: volumePath)
+        return FileManager.default.allocatedSize(of: URL(fileURLWithPath: volumePath))
     }
 
     /// Calculate disk usage for volumes
@@ -201,7 +201,7 @@ public actor VolumesService {
                 // Calculate sizes
                 for volume in allVolumes {
                     let volumePath = self.volumePath(for: volume.name)
-                    let volumeSize = self.calculateDirectorySize(at: volumePath)
+                    let volumeSize = FileManager.default.allocatedSize(of: URL(fileURLWithPath: volumePath))
                     totalSize += volumeSize
 
                     if !inUseSet.contains(volume.name) {
@@ -214,33 +214,6 @@ public actor VolumesService {
         }
     }
 
-    private nonisolated func calculateDirectorySize(at path: String) -> UInt64 {
-        let url = URL(fileURLWithPath: path)
-        let fileManager = FileManager.default
-
-        guard
-            let enumerator = fileManager.enumerator(
-                at: url,
-                includingPropertiesForKeys: [.totalFileAllocatedSizeKey],
-                options: [.skipsHiddenFiles]
-            )
-        else {
-            return 0
-        }
-
-        var totalSize: UInt64 = 0
-        for case let fileURL as URL in enumerator {
-            guard let resourceValues = try? fileURL.resourceValues(forKeys: [.totalFileAllocatedSizeKey]),
-                let fileSize = resourceValues.totalFileAllocatedSize
-            else {
-                continue
-            }
-            totalSize += UInt64(fileSize)
-        }
-
-        return totalSize
-    }
-
     private func parseSize(_ sizeString: String) throws -> UInt64 {
         let measurement = try Measurement.parse(parsing: sizeString)
         let bytes = measurement.converted(to: .bytes).value

Sources/Services/ContainerImagesService/Client/ImageServiceXPCRoutes.swift

@@ -33,6 +33,7 @@ public enum ImagesServiceXPCRoute: String {
     case contentGet
     case contentDelete
     case contentClean
+    case contentSize
     case contentIngestStart
     case contentIngestComplete
     case contentIngestCancel

Sources/Services/ContainerImagesService/Client/RemoteContentStoreClient.swift

@@ -143,6 +143,13 @@ public struct RemoteContentStoreClient: ContentStore {
         request.set(key: .ingestSessionId, value: id)
         try await client.send(request)
     }
+
+    public func totalAllocatedSize() async throws -> UInt64 {
+        let client = Self.newClient()
+        let request = XPCMessage(route: .contentSize)
+        let response = try await client.send(request)
+        return response.uint64(key: .imageSize)
+    }
 }
 
 #endif

Sources/Services/ContainerImagesService/Server/ContentServiceHarness.swift

@@ -111,4 +111,12 @@ public struct ContentServiceHarness: Sendable {
         reply.set(key: .digests, value: d)
         return reply
     }
+
+    @Sendable
+    public func totalSize(_ message: XPCMessage) async throws -> XPCMessage {
+        let size = await self.service.totalAllocatedSize()
+        let reply = message.reply()
+        reply.set(key: .imageSize, value: size)
+        return reply
+    }
 }

Sources/Services/ContainerImagesService/Server/ContentStoreService.swift

@@ -15,6 +15,7 @@
 //===----------------------------------------------------------------------===//
 
 import ContainerImagesServiceClient
+import ContainerResource
 import Containerization
 import ContainerizationOCI
 import Foundation
@@ -156,4 +157,9 @@ public actor ContentStoreService {
 
         return try await self.contentStore.cancelIngestSession(id)
     }
+
+    /// Total bytes allocated on disk for the content store.
+    public func totalAllocatedSize() -> UInt64 {
+        FileManager.default.allocatedSize(of: self.root)
+    }
 }

Sources/Services/ContainerImagesService/Server/ImagesService.swift

@@ -29,11 +29,19 @@ import TerminalProgress
 public actor ImagesService {
     private let log: Logger
     private let contentStore: ContentStore
+    private let contentStoreTotalSize: @Sendable () async throws -> UInt64
     private let imageStore: ImageStore
     private let snapshotStore: SnapshotStore
 
-    public init(contentStore: ContentStore, imageStore: ImageStore, snapshotStore: SnapshotStore, log: Logger) throws {
+    public init(
+        contentStore: ContentStore,
+        contentStoreTotalSize: @Sendable @escaping () async throws -> UInt64,
+        imageStore: ImageStore,
+        snapshotStore: SnapshotStore,
+        log: Logger
+    ) throws {
         self.contentStore = contentStore
+        self.contentStoreTotalSize = contentStoreTotalSize
         self.imageStore = imageStore
         self.snapshotStore = snapshotStore
         self.log = log
@@ -270,8 +278,7 @@ public actor ImagesService {
 
     /// Calculate disk usage for images
     /// - Parameter activeReferences: Set of image references currently in use by containers
-    /// - Returns: Tuple of (total count, active count, total size, reclaimable size)
-    public func calculateDiskUsage(activeReferences: Set<String>) async throws -> (Int, Int, UInt64, UInt64) {
+    public func calculateDiskUsage(activeReferences: Set<String>) async throws -> (totalCount: Int, activeCount: Int, totalSize: UInt64, reclaimableSize: UInt64) {
         self.log.debug(
             "ImagesService: enter",
             metadata: [
@@ -290,49 +297,41 @@ public actor ImagesService {
         }
 
         let images = try await self._list()
-        var totalSize: UInt64 = 0
-        var reclaimableSize: UInt64 = 0
         var activeCount = 0
+        var activeContentSizes: [String: UInt64] = [:]
+        var activeSnapshotSizes: [String: UInt64] = [:]
+        var processedDigests = Set<String>()
 
         for image in images {
-            // Calculate size for all platform variants
-            let imageSize = try await self.calculateImageSize(image)
-            totalSize += imageSize
-
-            // Check if image is referenced by any container
-            let isActive = activeReferences.contains(image.reference)
-            if isActive {
-                activeCount += 1
-            } else {
-                reclaimableSize += imageSize
+            guard activeReferences.contains(image.reference) else { continue }
+            activeCount += 1
+            let imageDigest = image.digest.trimmingDigestPrefix
+            guard processedDigests.insert(imageDigest).inserted else { continue }
+
+            for digest in try await image.referencedDigests() where activeContentSizes[digest] == nil {
+                guard let content: Content = try await self.contentStore.get(digest: digest) else { continue }
+                activeContentSizes[digest] = try self.contentDiskSize(content)
+            }
+            for (digest, size) in try await self.snapshotStore.getSnapshotSizes(for: image) {
+                activeSnapshotSizes[digest] = size
             }
         }
 
-        return (images.count, activeCount, totalSize, reclaimableSize)
-    }
-
-    /// Calculate total size for an image including all platform variants
-    private func calculateImageSize(_ image: Containerization.Image) async throws -> UInt64 {
-        var totalSize: UInt64 = 0
-        let index = try await image.index()
-
-        for descriptor in index.manifests {
-            // Skip attestation manifests
-            if let refType = descriptor.annotations?["vnd.docker.reference.type"],
-                refType == "attestation-manifest"
-            {
-                continue
-            }
+        let snapshotDiskSize = await self.snapshotStore.totalAllocatedSize()
+        let contentDiskSize = try await self.contentStoreTotalSize()
+        let totalOnDisk = contentDiskSize + snapshotDiskSize
+        let activeSize = activeContentSizes.values.reduce(0, +) + activeSnapshotSizes.values.reduce(0, +)
+        let reclaimable = totalOnDisk > activeSize ? totalOnDisk - activeSize : 0
 
-            guard descriptor.platform != nil else { continue }
+        return (images.count, activeCount, totalOnDisk, reclaimable)
+    }
 
-            // Get snapshot size for this platform
-            if let snapshotSize = try? await self.snapshotStore.getSnapshotSize(descriptor: descriptor) {
-                totalSize += snapshotSize
-            }
+    private func contentDiskSize(_ content: Content) throws -> UInt64 {
+        let values = try? content.path.resourceValues(forKeys: [.totalFileAllocatedSizeKey])
+        if let allocatedSize = values?.totalFileAllocatedSize {
+            return UInt64(allocatedSize)
         }
-
-        return totalSize
+        return try content.size()
     }
 }