Unlock Docker’s Layered Filesystem: How AUFS, Devicemapper, and Image Commits Work

Marshall (张克琛) – a senior operations expert with 8 years of experience, former entrepreneur, and current Cloud Wisdom Operations Director, responsible for a SaaS monitoring platform serving hundreds of thousands of enterprise users. He loves Docker and new technologies.

Let’s start today’s sharing

Docker’s many features stem from its layered file system. Because the file system is layered, Docker can iterate quickly and roll back changes, similar to Git where each commit has an ID used for rollback. Supported storage drivers include AUFS, devicemapper, btrfs, and VFS; the first three are union file systems that support layering, while VFS does not. AUFS and devicemapper are the most commonly used. AUFS (Advanced Multi‑layered Unification File System) is a union file system that mounts multiple directories into a single virtual file system. Example command:

mount -t aufs -o br=/tmp/dir1=ro:/tmp/dir2=rw none /tmp/newfs

The -o option passes parameters to the file system; br specifies the directories to mount (dir1 read‑only, dir2 read‑write). none is used when there is no actual device. Docker uses both read‑only and read‑write layers: the image layer is read‑only, and each container gets its own writable layer. When a container modifies a file from the read‑only layer, the file is copied up to the writable layer, achieving isolation. Q: Why is the image layer read‑only when starting a container?

Answer: An image can start multiple containers. If every container could write to the shared read‑only part, conflicts would arise. Docker therefore mounts the image layer as read‑only and gives each container a separate writable layer. Modifications are written to the writable layer, leaving the original read‑only layer unchanged.

Q: What does the none argument mean?

Answer: It indicates that there is no actual block device; the command requires a device name, so <code>none</code> is used as a placeholder.

Q: Is the mount command executed inside the container or on the host?

Answer: Inside the container.

After mounting /tmp/dir1 (read‑only) and /tmp/dir2 (read‑write) to /tmp/newfs , files created in the source directories appear in the merged view, with the file from the read‑only layer remaining read‑only. If a file exists in both layers, the one from the first mounted directory takes precedence. Creating a new directory (e.g., mkdir test ) does not create a new layer; only docker commit does.

docker commit

Saving a container as an image:

docker save cloud_jiankongbao:01.tar
# cloud_jiankongbao:01.tar is the image file, cloud_jiankongbao:01 is the container ID.

Extracting the saved image reveals several directories, each named with a layer ID. Each docker commit creates a new layer ID, enabling image rollback.

docker images --tree
└─f1b10cd84249 (size 0 B)
└─fb9cc58bde0c (size 203.1 MB)
└─a005304e4e74 (size 203.1 MB)
└─d9bde94c518a (size 1.957 GB) Tags: cloud_jiankongbao:01

Each layer directory contains json , layer.tar , and VERSION . Inspecting layer.tar shows the file system contents of that layer.

tar -xf layer.tar
ls fb9cc58bde0c/
# shows bin, etc, lib, usr, …

Four commits resulted in four layer IDs, representing successive image versions.

f1b10cd84249 – base image (size 0)
fb9cc58bde0c – built on base, adds more files (e.g., tar utility)
a005304e4e74 – built on previous, adds minimal changes (e.g., gtar)

devicemapper uses snapshot and thin‑provisioned snapshot techniques to stack multiple snapshots on a single volume, providing a layered file system similar to VM snapshots. When using devicemapper, a container’s maximum size is limited to 10 GB unless the daemon is started with -s devicemapper .

docker -d -s devicemapper

Each running container receives its own writable layer while the image layer remains read‑only, ensuring file‑system isolation between containers. Docker’s isolation is “weak” because containers share the host kernel and certain system directories (e.g., /proc, /sys). Full isolation requires virtual machines, which sacrifice Docker’s lightweight nature.

Source: http://mp.weixin.qq.com/s?__biz=MzAwNzA0NTMzMQ==&mid=215867339&idx=1&sn=b5f58d782af7a88607ff3b5c8c7d92c9