Skip to content

Union filesystem and layered images

Union filesystems (UnionFS) enable the storage of container images as a stack of multiple distinct layers.^[400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md]

Instead of creating a full, monolithic copy of the operating environment for every container, Docker uses a layered approach where each step in the image creation process generates an incremental [[rootfs]]^[400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md]. This structure allows for efficient storage reuse and modular composition of application environments^[400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md].

Mechanism

The core function of a union filesystem is to combine several directories ("branches") into a single, coherent directory tree. In the context of Docker, this means that the visible file system of a container is actually a union mount of multiple layers^[400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md].

The layers are typically stored as incremental rootfs directories, which are then mounted together to a unified mount point, such as /var/lib/docker/aufs/mnt/...^[400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md]. From the perspective of processes running inside the container, this unified mount point appears as a standard single file system (e.g., containing bin, dev, etc, home directories), unaware of the stratified storage backing it^[400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md].

Layered Images

Docker images are composed of a series of these layers^[400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md]. Each layer corresponds to specific instructions in a Dockerfile (e.g., installing a dependency), resulting in a set of file changes relative to the previous layer^[400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md].

When a container is launched, Docker orchestrates these layers:

  • Read-only Layers: The base image and all intermediate layers are usually mounted as read-only.^[400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md]
  • Read-write Layer: A thin, writable layer is placed on top of the stack. This layer captures all modifications made by the running container (creating files, modifying logs, etc.).^[400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md]

Storage Efficiency

This architecture solves the problem of environment repetition. If multiple containers share the same base image (e.g., ubuntu), the underlying layers are stored only once on disk and mounted into each container's namespace^[400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md].

This facilitates the "Write once, run anywhere" consistency of containers by ensuring the base environment layers are immutable. If a user makes changes to a running container, only the top read-write layer is affected^[400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md]. Changes can be persisted into a new image layer via the docker commit command, which saves the writable layer as a new read-only layer without altering the original base layers^[400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md].

  • [[Namespaces]]
  • [[rootfs]]
  • [[Cgroups]]

Sources

  • 400-devops__06-Kubernetes__k8s-paas__原理及源码解析__Docker基础.md