Skip to content

Rootfs and container images

In the context of container technologies like Docker, the filesystem mounted to the container's root directory to provide an isolated execution environment is known as the rootfs (root filesystem).^[Docker基础.md] This concept is central to how containers achieve environmental consistency.

Composition and Structure

A rootfs typically appears as a standard operating system directory structure containing files and directories such as /bin, /dev, /etc, /lib, and /usr.^[Docker基础.md] It represents the file system view accessible to the processes running inside the container.

Union Mounting (Layered Images)

Modern container images are rarely a single, monolithic file system. Instead, they utilize a layered structure where the rootfs is composed of multiple "layers" (incremental rootfs).^[Docker基础.md]

  • Layers: Each step in a container image's creation process generates a layer.^[Docker基础.md] For example, an Ubuntu image might consist of multiple layers, where each layer represents a part of the operating system's files and directories.^[Docker基础.md]
  • Union Mount: When a container is run, storage drivers like AuFS combine these layers into a single unified view through a process called union mounting.^[Docker基础.md] These layers are mounted at a specific location (e.g., /var/lib/docker/aufs/mnt/...) to form the complete root directory visible to the container.^[Docker基础.md]

This layered approach allows for efficient storage and reuse, as images can share common base layers while maintaining individual differences in upper layers.

Role in Container Creation

The rootfs is one of the three core operations performed when creating a container, alongside setting Linux Namespaces and Cgroups parameters.^[Docker基础.md] The process involves:

  1. Enable Linux Namespaces: To isolate the process view (PID, Network, etc.).
  2. Set Cgroups parameters: To constrain resources (CPU, Memory).
  3. Switch Root (Change Root): To pivot the process's root directory to the mounted rootfs.^[Docker基础.md]

While the container shares the host operating system's kernel, the rootfs ensures that the user space environment (libraries, configurations, and tools) remains consistent regardless of the underlying host.^[Docker基础.md]

Immutability and Modification

The layers in a rootfs are typically read-only.^[Docker基础.md] When a container is launched, a writable layer is often added on top of the read-only base layers.

  • Modifications: Any changes made within the running container (such as installing a package or modifying a file) are written to this top, writable layer.^[Docker基础.md]
  • Persistence: To save these changes permanently (e.g., for a colleague to use), the modified writable layer can be committed into a new read-only image layer using commands like docker commit.^[Docker基础.md]

This mechanism allows the original base image to remain untouched while derived images can be created, enhanced, and shared via registries like Docker Hub.^[Docker基础.md]

  • [[Namespaces]]
  • [[Cgroups]]
  • [[Union file system]]
  • [[Change Root]]

Sources

  • Docker基础.md