1.. SPDX-License-Identifier: GPL-2.0 2 3Written by: Neil Brown 4Please see MAINTAINERS file for where to send questions. 5 6Overlay Filesystem 7================== 8 9This document describes a prototype for a new approach to providing 10overlay-filesystem functionality in Linux (sometimes referred to as 11union-filesystems). An overlay-filesystem tries to present a 12filesystem which is the result over overlaying one filesystem on top 13of the other. 14 15 16Overlay objects 17--------------- 18 19The overlay filesystem approach is 'hybrid', because the objects that 20appear in the filesystem do not always appear to belong to that filesystem. 21In many cases, an object accessed in the union will be indistinguishable 22from accessing the corresponding object from the original filesystem. 23This is most obvious from the 'st_dev' field returned by stat(2). 24 25While directories will report an st_dev from the overlay-filesystem, 26non-directory objects may report an st_dev from the lower filesystem or 27upper filesystem that is providing the object. Similarly st_ino will 28only be unique when combined with st_dev, and both of these can change 29over the lifetime of a non-directory object. Many applications and 30tools ignore these values and will not be affected. 31 32In the special case of all overlay layers on the same underlying 33filesystem, all objects will report an st_dev from the overlay 34filesystem and st_ino from the underlying filesystem. This will 35make the overlay mount more compliant with filesystem scanners and 36overlay objects will be distinguishable from the corresponding 37objects in the original filesystem. 38 39On 64bit systems, even if all overlay layers are not on the same 40underlying filesystem, the same compliant behavior could be achieved 41with the "xino" feature. The "xino" feature composes a unique object 42identifier from the real object st_ino and an underlying fsid number. 43The "xino" feature uses the high inode number bits for fsid, because the 44underlying filesystems rarely use the high inode number bits. In case 45the underlying inode number does overflow into the high xino bits, overlay 46filesystem will fall back to the non xino behavior for that inode. 47 48The "xino" feature can be enabled with the "-o xino=on" overlay mount option. 49If all underlying filesystems support NFS file handles, the value of st_ino 50for overlay filesystem objects is not only unique, but also persistent over 51the lifetime of the filesystem. The "-o xino=auto" overlay mount option 52enables the "xino" feature only if the persistent st_ino requirement is met. 53 54The following table summarizes what can be expected in different overlay 55configurations. 56 57Inode properties 58```````````````` 59 60+--------------+------------+------------+-----------------+----------------+ 61|Configuration | Persistent | Uniform | st_ino == d_ino | d_ino == i_ino | 62| | st_ino | st_dev | | [*] | 63+==============+=====+======+=====+======+========+========+========+=======+ 64| | dir | !dir | dir | !dir | dir + !dir | dir | !dir | 65+--------------+-----+------+-----+------+--------+--------+--------+-------+ 66| All layers | Y | Y | Y | Y | Y | Y | Y | Y | 67| on same fs | | | | | | | | | 68+--------------+-----+------+-----+------+--------+--------+--------+-------+ 69| Layers not | N | N | Y | N | N | Y | N | Y | 70| on same fs, | | | | | | | | | 71| xino=off | | | | | | | | | 72+--------------+-----+------+-----+------+--------+--------+--------+-------+ 73| xino=on/auto | Y | Y | Y | Y | Y | Y | Y | Y | 74+--------------+-----+------+-----+------+--------+--------+--------+-------+ 75| xino=on/auto,| N | N | Y | N | N | Y | N | Y | 76| ino overflow | | | | | | | | | 77+--------------+-----+------+-----+------+--------+--------+--------+-------+ 78 79[*] nfsd v3 readdirplus verifies d_ino == i_ino. i_ino is exposed via several 80/proc files, such as /proc/locks and /proc/self/fdinfo/<fd> of an inotify 81file descriptor. 82 83Upper and Lower 84--------------- 85 86An overlay filesystem combines two filesystems - an 'upper' filesystem 87and a 'lower' filesystem. When a name exists in both filesystems, the 88object in the 'upper' filesystem is visible while the object in the 89'lower' filesystem is either hidden or, in the case of directories, 90merged with the 'upper' object. 91 92It would be more correct to refer to an upper and lower 'directory 93tree' rather than 'filesystem' as it is quite possible for both 94directory trees to be in the same filesystem and there is no 95requirement that the root of a filesystem be given for either upper or 96lower. 97 98A wide range of filesystems supported by Linux can be the lower filesystem, 99but not all filesystems that are mountable by Linux have the features 100needed for OverlayFS to work. The lower filesystem does not need to be 101writable. The lower filesystem can even be another overlayfs. The upper 102filesystem will normally be writable and if it is it must support the 103creation of trusted.* and/or user.* extended attributes, and must provide 104valid d_type in readdir responses, so NFS is not suitable. 105 106A read-only overlay of two read-only filesystems may use any 107filesystem type. 108 109Directories 110----------- 111 112Overlaying mainly involves directories. If a given name appears in both 113upper and lower filesystems and refers to a non-directory in either, 114then the lower object is hidden - the name refers only to the upper 115object. 116 117Where both upper and lower objects are directories, a merged directory 118is formed. 119 120At mount time, the two directories given as mount options "lowerdir" and 121"upperdir" are combined into a merged directory:: 122 123 mount -t overlay overlay -olowerdir=/lower,upperdir=/upper,\ 124 workdir=/work /merged 125 126The "workdir" needs to be an empty directory on the same filesystem 127as upperdir. 128 129Then whenever a lookup is requested in such a merged directory, the 130lookup is performed in each actual directory and the combined result 131is cached in the dentry belonging to the overlay filesystem. If both 132actual lookups find directories, both are stored and a merged 133directory is created, otherwise only one is stored: the upper if it 134exists, else the lower. 135 136Only the lists of names from directories are merged. Other content 137such as metadata and extended attributes are reported for the upper 138directory only. These attributes of the lower directory are hidden. 139 140whiteouts and opaque directories 141-------------------------------- 142 143In order to support rm and rmdir without changing the lower 144filesystem, an overlay filesystem needs to record in the upper filesystem 145that files have been removed. This is done using whiteouts and opaque 146directories (non-directories are always opaque). 147 148A whiteout is created as a character device with 0/0 device number or 149as a zero-size regular file with the xattr "trusted.overlay.whiteout". 150 151When a whiteout is found in the upper level of a merged directory, any 152matching name in the lower level is ignored, and the whiteout itself 153is also hidden. 154 155A directory is made opaque by setting the xattr "trusted.overlay.opaque" 156to "y". Where the upper filesystem contains an opaque directory, any 157directory in the lower filesystem with the same name is ignored. 158 159An opaque directory should not contain any whiteouts, because they do not 160serve any purpose. A merge directory containing regular files with the xattr 161"trusted.overlay.whiteout", should be additionally marked by setting the xattr 162"trusted.overlay.opaque" to "x" on the merge directory itself. 163This is needed to avoid the overhead of checking the "trusted.overlay.whiteout" 164on all entries during readdir in the common case. 165 166readdir 167------- 168 169When a 'readdir' request is made on a merged directory, the upper and 170lower directories are each read and the name lists merged in the 171obvious way (upper is read first, then lower - entries that already 172exist are not re-added). This merged name list is cached in the 173'struct file' and so remains as long as the file is kept open. If the 174directory is opened and read by two processes at the same time, they 175will each have separate caches. A seekdir to the start of the 176directory (offset 0) followed by a readdir will cause the cache to be 177discarded and rebuilt. 178 179This means that changes to the merged directory do not appear while a 180directory is being read. This is unlikely to be noticed by many 181programs. 182 183seek offsets are assigned sequentially when the directories are read. 184Thus if: 185 186 - read part of a directory 187 - remember an offset, and close the directory 188 - re-open the directory some time later 189 - seek to the remembered offset 190 191there may be little correlation between the old and new locations in 192the list of filenames, particularly if anything has changed in the 193directory. 194 195Readdir on directories that are not merged is simply handled by the 196underlying directory (upper or lower). 197 198renaming directories 199-------------------- 200 201When renaming a directory that is on the lower layer or merged (i.e. the 202directory was not created on the upper layer to start with) overlayfs can 203handle it in two different ways: 204 2051. return EXDEV error: this error is returned by rename(2) when trying to 206 move a file or directory across filesystem boundaries. Hence 207 applications are usually prepared to handle this error (mv(1) for example 208 recursively copies the directory tree). This is the default behavior. 209 2102. If the "redirect_dir" feature is enabled, then the directory will be 211 copied up (but not the contents). Then the "trusted.overlay.redirect" 212 extended attribute is set to the path of the original location from the 213 root of the overlay. Finally the directory is moved to the new 214 location. 215 216There are several ways to tune the "redirect_dir" feature. 217 218Kernel config options: 219 220- OVERLAY_FS_REDIRECT_DIR: 221 If this is enabled, then redirect_dir is turned on by default. 222- OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW: 223 If this is enabled, then redirects are always followed by default. Enabling 224 this results in a less secure configuration. Enable this option only when 225 worried about backward compatibility with kernels that have the redirect_dir 226 feature and follow redirects even if turned off. 227 228Module options (can also be changed through /sys/module/overlay/parameters/): 229 230- "redirect_dir=BOOL": 231 See OVERLAY_FS_REDIRECT_DIR kernel config option above. 232- "redirect_always_follow=BOOL": 233 See OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW kernel config option above. 234- "redirect_max=NUM": 235 The maximum number of bytes in an absolute redirect (default is 256). 236 237Mount options: 238 239- "redirect_dir=on": 240 Redirects are enabled. 241- "redirect_dir=follow": 242 Redirects are not created, but followed. 243- "redirect_dir=nofollow": 244 Redirects are not created and not followed. 245- "redirect_dir=off": 246 If "redirect_always_follow" is enabled in the kernel/module config, 247 this "off" translates to "follow", otherwise it translates to "nofollow". 248 249When the NFS export feature is enabled, every copied up directory is 250indexed by the file handle of the lower inode and a file handle of the 251upper directory is stored in a "trusted.overlay.upper" extended attribute 252on the index entry. On lookup of a merged directory, if the upper 253directory does not match the file handle stores in the index, that is an 254indication that multiple upper directories may be redirected to the same 255lower directory. In that case, lookup returns an error and warns about 256a possible inconsistency. 257 258Because lower layer redirects cannot be verified with the index, enabling 259NFS export support on an overlay filesystem with no upper layer requires 260turning off redirect follow (e.g. "redirect_dir=nofollow"). 261 262 263Non-directories 264--------------- 265 266Objects that are not directories (files, symlinks, device-special 267files etc.) are presented either from the upper or lower filesystem as 268appropriate. When a file in the lower filesystem is accessed in a way 269that requires write-access, such as opening for write access, changing 270some metadata etc., the file is first copied from the lower filesystem 271to the upper filesystem (copy_up). Note that creating a hard-link 272also requires copy_up, though of course creation of a symlink does 273not. 274 275The copy_up may turn out to be unnecessary, for example if the file is 276opened for read-write but the data is not modified. 277 278The copy_up process first makes sure that the containing directory 279exists in the upper filesystem - creating it and any parents as 280necessary. It then creates the object with the same metadata (owner, 281mode, mtime, symlink-target etc.) and then if the object is a file, the 282data is copied from the lower to the upper filesystem. Finally any 283extended attributes are copied up. 284 285Once the copy_up is complete, the overlay filesystem simply 286provides direct access to the newly created file in the upper 287filesystem - future operations on the file are barely noticed by the 288overlay filesystem (though an operation on the name of the file such as 289rename or unlink will of course be noticed and handled). 290 291 292Permission model 293---------------- 294 295An overlay filesystem stashes credentials that will be used when 296accessing lower or upper filesystems. 297 298In the old mount api the credentials of the task calling mount(2) are 299stashed. In the new mount api the credentials of the task creating the 300superblock through FSCONFIG_CMD_CREATE command of fsconfig(2) are 301stashed. 302 303Starting with kernel v6.15 it is possible to use the "override_creds" 304mount option which will cause the credentials of the calling task to be 305recorded. Note that "override_creds" is only meaningful when used with 306the new mount api as the old mount api combines setting options and 307superblock creation in a single mount(2) syscall. 308 309Permission checking in the overlay filesystem follows these principles: 310 311 1) permission check SHOULD return the same result before and after copy up 312 313 2) task creating the overlay mount MUST NOT gain additional privileges 314 315 3) task[*] MAY gain additional privileges through the overlay, 316 compared to direct access on underlying lower or upper filesystems 317 318This is achieved by performing two permission checks on each access: 319 320 a) check if current task is allowed access based on local DAC (owner, 321 group, mode and posix acl), as well as MAC checks 322 323 b) check if stashed credentials would be allowed real operation on lower or 324 upper layer based on underlying filesystem permissions, again including 325 MAC checks 326 327Check (a) ensures consistency (1) since owner, group, mode and posix acls 328are copied up. On the other hand it can result in server enforced 329permissions (used by NFS, for example) being ignored (3). 330 331Check (b) ensures that no task gains permissions to underlying layers that 332the stashed credentials do not have (2). This also means that it is possible 333to create setups where the consistency rule (1) does not hold; normally, 334however, the stashed credentials will have sufficient privileges to 335perform all operations. 336 337Another way to demonstrate this model is drawing parallels between:: 338 339 mount -t overlay overlay -olowerdir=/lower,upperdir=/upper,... /merged 340 341and:: 342 343 cp -a /lower /upper 344 mount --bind /upper /merged 345 346The resulting access permissions should be the same. The difference is in 347the time of copy (on-demand vs. up-front). 348 349 350Multiple lower layers 351--------------------- 352 353Multiple lower layers can now be given using the colon (":") as a 354separator character between the directory names. For example:: 355 356 mount -t overlay overlay -olowerdir=/lower1:/lower2:/lower3 /merged 357 358As the example shows, "upperdir=" and "workdir=" may be omitted. In 359that case the overlay will be read-only. 360 361The specified lower directories will be stacked beginning from the 362rightmost one and going left. In the above example lower1 will be the 363top, lower2 the middle and lower3 the bottom layer. 364 365Note: directory names containing colons can be provided as lower layer by 366escaping the colons with a single backslash. For example:: 367 368 mount -t overlay overlay -olowerdir=/a\:lower\:\:dir /merged 369 370Since kernel version v6.8, directory names containing colons can also 371be configured as lower layer using the "lowerdir+" mount options and the 372fsconfig syscall from new mount api. For example:: 373 374 fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/a:lower::dir", 0); 375 376In the latter case, colons in lower layer directory names will be escaped 377as an octal characters (\072) when displayed in /proc/self/mountinfo. 378 379Metadata only copy up 380--------------------- 381 382When the "metacopy" feature is enabled, overlayfs will only copy 383up metadata (as opposed to whole file), when a metadata specific operation 384like chown/chmod is performed. An upper file in this state is marked with 385"trusted.overlayfs.metacopy" xattr which indicates that the upper file 386contains no data. The data will be copied up later when file is opened for 387WRITE operation. After the lower file's data is copied up, 388the "trusted.overlayfs.metacopy" xattr is removed from the upper file. 389 390In other words, this is delayed data copy up operation and data is copied 391up when there is a need to actually modify data. 392 393There are multiple ways to enable/disable this feature. A config option 394CONFIG_OVERLAY_FS_METACOPY can be set/unset to enable/disable this feature 395by default. Or one can enable/disable it at module load time with module 396parameter metacopy=on/off. Lastly, there is also a per mount option 397metacopy=on/off to enable/disable this feature per mount. 398 399Do not use metacopy=on with untrusted upper/lower directories. Otherwise 400it is possible that an attacker can create a handcrafted file with 401appropriate REDIRECT and METACOPY xattrs, and gain access to file on lower 402pointed by REDIRECT. This should not be possible on local system as setting 403"trusted." xattrs will require CAP_SYS_ADMIN. But it should be possible 404for untrusted layers like from a pen drive. 405 406Note: redirect_dir={off|nofollow|follow[*]} and nfs_export=on mount options 407conflict with metacopy=on, and will result in an error. 408 409[*] redirect_dir=follow only conflicts with metacopy=on if upperdir=... is 410given. 411 412 413Data-only lower layers 414---------------------- 415 416With "metacopy" feature enabled, an overlayfs regular file may be a composition 417of information from up to three different layers: 418 419 1) metadata from a file in the upper layer 420 421 2) st_ino and st_dev object identifier from a file in a lower layer 422 423 3) data from a file in another lower layer (further below) 424 425The "lower data" file can be on any lower layer, except from the top most 426lower layer. 427 428Below the top most lower layer, any number of lower most layers may be defined 429as "data-only" lower layers, using double colon ("::") separators. 430A normal lower layer is not allowed to be below a data-only layer, so single 431colon separators are not allowed to the right of double colon ("::") separators. 432 433 434For example:: 435 436 mount -t overlay overlay -olowerdir=/l1:/l2:/l3::/do1::/do2 /merged 437 438The paths of files in the "data-only" lower layers are not visible in the 439merged overlayfs directories and the metadata and st_ino/st_dev of files 440in the "data-only" lower layers are not visible in overlayfs inodes. 441 442Only the data of the files in the "data-only" lower layers may be visible 443when a "metacopy" file in one of the lower layers above it, has a "redirect" 444to the absolute path of the "lower data" file in the "data-only" lower layer. 445 446Instead of explicitly enabling "metacopy=on" it is sufficient to specify at 447least one data-only layer to enable redirection of data to a data-only layer. 448In this case other forms of metacopy are rejected. Note: this way data-only 449layers may be used toghether with "userxattr", in which case careful attention 450must be given to privileges needed to change the "user.overlay.redirect" xattr 451to prevent misuse. 452 453Since kernel version v6.8, "data-only" lower layers can also be added using 454the "datadir+" mount options and the fsconfig syscall from new mount api. 455For example:: 456 457 fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/l1", 0); 458 fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/l2", 0); 459 fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/l3", 0); 460 fsconfig(fs_fd, FSCONFIG_SET_STRING, "datadir+", "/do1", 0); 461 fsconfig(fs_fd, FSCONFIG_SET_STRING, "datadir+", "/do2", 0); 462 463 464Specifying layers via file descriptors 465-------------------------------------- 466 467Since kernel v6.13, overlayfs supports specifying layers via file descriptors in 468addition to specifying them as paths. This feature is available for the 469"datadir+", "lowerdir+", "upperdir", and "workdir+" mount options with the 470fsconfig syscall from the new mount api:: 471 472 fsconfig(fs_fd, FSCONFIG_SET_FD, "lowerdir+", NULL, fd_lower1); 473 fsconfig(fs_fd, FSCONFIG_SET_FD, "lowerdir+", NULL, fd_lower2); 474 fsconfig(fs_fd, FSCONFIG_SET_FD, "lowerdir+", NULL, fd_lower3); 475 fsconfig(fs_fd, FSCONFIG_SET_FD, "datadir+", NULL, fd_data1); 476 fsconfig(fs_fd, FSCONFIG_SET_FD, "datadir+", NULL, fd_data2); 477 fsconfig(fs_fd, FSCONFIG_SET_FD, "workdir", NULL, fd_work); 478 fsconfig(fs_fd, FSCONFIG_SET_FD, "upperdir", NULL, fd_upper); 479 480 481fs-verity support 482----------------- 483 484During metadata copy up of a lower file, if the source file has 485fs-verity enabled and overlay verity support is enabled, then the 486digest of the lower file is added to the "trusted.overlay.metacopy" 487xattr. This is then used to verify the content of the lower file 488each the time the metacopy file is opened. 489 490When a layer containing verity xattrs is used, it means that any such 491metacopy file in the upper layer is guaranteed to match the content 492that was in the lower at the time of the copy-up. If at any time 493(during a mount, after a remount, etc) such a file in the lower is 494replaced or modified in any way, access to the corresponding file in 495overlayfs will result in EIO errors (either on open, due to overlayfs 496digest check, or from a later read due to fs-verity) and a detailed 497error is printed to the kernel logs. For more details of how fs-verity 498file access works, see :ref:`Documentation/filesystems/fsverity.rst 499<accessing_verity_files>`. 500 501Verity can be used as a general robustness check to detect accidental 502changes in the overlayfs directories in use. But, with additional care 503it can also give more powerful guarantees. For example, if the upper 504layer is fully trusted (by using dm-verity or something similar), then 505an untrusted lower layer can be used to supply validated file content 506for all metacopy files. If additionally the untrusted lower 507directories are specified as "Data-only", then they can only supply 508such file content, and the entire mount can be trusted to match the 509upper layer. 510 511This feature is controlled by the "verity" mount option, which 512supports these values: 513 514- "off": 515 The metacopy digest is never generated or used. This is the 516 default if verity option is not specified. 517- "on": 518 Whenever a metacopy files specifies an expected digest, the 519 corresponding data file must match the specified digest. When 520 generating a metacopy file the verity digest will be set in it 521 based on the source file (if it has one). 522- "require": 523 Same as "on", but additionally all metacopy files must specify a 524 digest (or EIO is returned on open). This means metadata copy up 525 will only be used if the data file has fs-verity enabled, 526 otherwise a full copy-up is used. 527 528Sharing and copying layers 529-------------------------- 530 531Lower layers may be shared among several overlay mounts and that is indeed 532a very common practice. An overlay mount may use the same lower layer 533path as another overlay mount and it may use a lower layer path that is 534beneath or above the path of another overlay lower layer path. 535 536Using an upper layer path and/or a workdir path that are already used by 537another overlay mount is not allowed and may fail with EBUSY. Using 538partially overlapping paths is not allowed and may fail with EBUSY. 539If files are accessed from two overlayfs mounts which share or overlap the 540upper layer and/or workdir path the behavior of the overlay is undefined, 541though it will not result in a crash or deadlock. 542 543Mounting an overlay using an upper layer path, where the upper layer path 544was previously used by another mounted overlay in combination with a 545different lower layer path, is allowed, unless the "index" or "metacopy" 546features are enabled. 547 548With the "index" feature, on the first time mount, an NFS file 549handle of the lower layer root directory, along with the UUID of the lower 550filesystem, are encoded and stored in the "trusted.overlay.origin" extended 551attribute on the upper layer root directory. On subsequent mount attempts, 552the lower root directory file handle and lower filesystem UUID are compared 553to the stored origin in upper root directory. On failure to verify the 554lower root origin, mount will fail with ESTALE. An overlayfs mount with 555"index" enabled will fail with EOPNOTSUPP if the lower filesystem 556does not support NFS export, lower filesystem does not have a valid UUID or 557if the upper filesystem does not support extended attributes. 558 559For the "metacopy" feature, there is no verification mechanism at 560mount time. So if same upper is mounted with different set of lower, mount 561probably will succeed but expect the unexpected later on. So don't do it. 562 563It is quite a common practice to copy overlay layers to a different 564directory tree on the same or different underlying filesystem, and even 565to a different machine. With the "index" feature, trying to mount 566the copied layers will fail the verification of the lower root file handle. 567 568Nesting overlayfs mounts 569------------------------ 570 571It is possible to use a lower directory that is stored on an overlayfs 572mount. For regular files this does not need any special care. However, files 573that have overlayfs attributes, such as whiteouts or "overlay.*" xattrs, will 574be interpreted by the underlying overlayfs mount and stripped out. In order to 575allow the second overlayfs mount to see the attributes they must be escaped. 576 577Overlayfs specific xattrs are escaped by using a special prefix of 578"overlay.overlay.". So, a file with a "trusted.overlay.overlay.metacopy" xattr 579in the lower dir will be exposed as a regular file with a 580"trusted.overlay.metacopy" xattr in the overlayfs mount. This can be nested by 581repeating the prefix multiple time, as each instance only removes one prefix. 582 583A lower dir with a regular whiteout will always be handled by the overlayfs 584mount, so to support storing an effective whiteout file in an overlayfs mount an 585alternative form of whiteout is supported. This form is a regular, zero-size 586file with the "overlay.whiteout" xattr set, inside a directory with the 587"overlay.opaque" xattr set to "x" (see `whiteouts and opaque directories`_). 588These alternative whiteouts are never created by overlayfs, but can be used by 589userspace tools (like containers) that generate lower layers. 590These alternative whiteouts can be escaped using the standard xattr escape 591mechanism in order to properly nest to any depth. 592 593Non-standard behavior 594--------------------- 595 596Current version of overlayfs can act as a mostly POSIX compliant 597filesystem. 598 599This is the list of cases that overlayfs doesn't currently handle: 600 601 a) POSIX mandates updating st_atime for reads. This is currently not 602 done in the case when the file resides on a lower layer. 603 604 b) If a file residing on a lower layer is opened for read-only and then 605 memory mapped with MAP_SHARED, then subsequent changes to the file are not 606 reflected in the memory mapping. 607 608 c) If a file residing on a lower layer is being executed, then opening that 609 file for write or truncating the file will not be denied with ETXTBSY. 610 611The following options allow overlayfs to act more like a standards 612compliant filesystem: 613 614redirect_dir 615```````````` 616 617Enabled with the mount option or module option: "redirect_dir=on" or with 618the kernel config option CONFIG_OVERLAY_FS_REDIRECT_DIR=y. 619 620If this feature is disabled, then rename(2) on a lower or merged directory 621will fail with EXDEV ("Invalid cross-device link"). 622 623index 624````` 625 626Enabled with the mount option or module option "index=on" or with the 627kernel config option CONFIG_OVERLAY_FS_INDEX=y. 628 629If this feature is disabled and a file with multiple hard links is copied 630up, then this will "break" the link. Changes will not be propagated to 631other names referring to the same inode. 632 633xino 634```` 635 636Enabled with the mount option "xino=auto" or "xino=on", with the module 637option "xino_auto=on" or with the kernel config option 638CONFIG_OVERLAY_FS_XINO_AUTO=y. Also implicitly enabled by using the same 639underlying filesystem for all layers making up the overlay. 640 641If this feature is disabled or the underlying filesystem doesn't have 642enough free bits in the inode number, then overlayfs will not be able to 643guarantee that the values of st_ino and st_dev returned by stat(2) and the 644value of d_ino returned by readdir(3) will act like on a normal filesystem. 645E.g. the value of st_dev may be different for two objects in the same 646overlay filesystem and the value of st_ino for filesystem objects may not be 647persistent and could change even while the overlay filesystem is mounted, as 648summarized in the `Inode properties`_ table above. 649 650 651Changes to underlying filesystems 652--------------------------------- 653 654Changes to the underlying filesystems while part of a mounted overlay 655filesystem are not allowed. If the underlying filesystem is changed, 656the behavior of the overlay is undefined, though it will not result in 657a crash or deadlock. 658 659Offline changes, when the overlay is not mounted, are allowed to the 660upper tree. Offline changes to the lower tree are only allowed if the 661"metacopy", "index", "xino" and "redirect_dir" features 662have not been used. If the lower tree is modified and any of these 663features has been used, the behavior of the overlay is undefined, 664though it will not result in a crash or deadlock. 665 666When the overlay NFS export feature is enabled, overlay filesystems 667behavior on offline changes of the underlying lower layer is different 668than the behavior when NFS export is disabled. 669 670On every copy_up, an NFS file handle of the lower inode, along with the 671UUID of the lower filesystem, are encoded and stored in an extended 672attribute "trusted.overlay.origin" on the upper inode. 673 674When the NFS export feature is enabled, a lookup of a merged directory, 675that found a lower directory at the lookup path or at the path pointed 676to by the "trusted.overlay.redirect" extended attribute, will verify 677that the found lower directory file handle and lower filesystem UUID 678match the origin file handle that was stored at copy_up time. If a 679found lower directory does not match the stored origin, that directory 680will not be merged with the upper directory. 681 682 683 684NFS export 685---------- 686 687When the underlying filesystems supports NFS export and the "nfs_export" 688feature is enabled, an overlay filesystem may be exported to NFS. 689 690With the "nfs_export" feature, on copy_up of any lower object, an index 691entry is created under the index directory. The index entry name is the 692hexadecimal representation of the copy up origin file handle. For a 693non-directory object, the index entry is a hard link to the upper inode. 694For a directory object, the index entry has an extended attribute 695"trusted.overlay.upper" with an encoded file handle of the upper 696directory inode. 697 698When encoding a file handle from an overlay filesystem object, the 699following rules apply: 700 701 1. For a non-upper object, encode a lower file handle from lower inode 702 2. For an indexed object, encode a lower file handle from copy_up origin 703 3. For a pure-upper object and for an existing non-indexed upper object, 704 encode an upper file handle from upper inode 705 706The encoded overlay file handle includes: 707 708 - Header including path type information (e.g. lower/upper) 709 - UUID of the underlying filesystem 710 - Underlying filesystem encoding of underlying inode 711 712This encoding format is identical to the encoding format file handles that 713are stored in extended attribute "trusted.overlay.origin". 714 715When decoding an overlay file handle, the following steps are followed: 716 717 1. Find underlying layer by UUID and path type information. 718 2. Decode the underlying filesystem file handle to underlying dentry. 719 3. For a lower file handle, lookup the handle in index directory by name. 720 4. If a whiteout is found in index, return ESTALE. This represents an 721 overlay object that was deleted after its file handle was encoded. 722 5. For a non-directory, instantiate a disconnected overlay dentry from the 723 decoded underlying dentry, the path type and index inode, if found. 724 6. For a directory, use the connected underlying decoded dentry, path type 725 and index, to lookup a connected overlay dentry. 726 727Decoding a non-directory file handle may return a disconnected dentry. 728copy_up of that disconnected dentry will create an upper index entry with 729no upper alias. 730 731When overlay filesystem has multiple lower layers, a middle layer 732directory may have a "redirect" to lower directory. Because middle layer 733"redirects" are not indexed, a lower file handle that was encoded from the 734"redirect" origin directory, cannot be used to find the middle or upper 735layer directory. Similarly, a lower file handle that was encoded from a 736descendant of the "redirect" origin directory, cannot be used to 737reconstruct a connected overlay path. To mitigate the cases of 738directories that cannot be decoded from a lower file handle, these 739directories are copied up on encode and encoded as an upper file handle. 740On an overlay filesystem with no upper layer this mitigation cannot be 741used NFS export in this setup requires turning off redirect follow (e.g. 742"redirect_dir=nofollow"). 743 744The overlay filesystem does not support non-directory connectable file 745handles, so exporting with the 'subtree_check' exportfs configuration will 746cause failures to lookup files over NFS. 747 748When the NFS export feature is enabled, all directory index entries are 749verified on mount time to check that upper file handles are not stale. 750This verification may cause significant overhead in some cases. 751 752Note: the mount options index=off,nfs_export=on are conflicting for a 753read-write mount and will result in an error. 754 755Note: the mount option uuid=off can be used to replace UUID of the underlying 756filesystem in file handles with null, and effectively disable UUID checks. This 757can be useful in case the underlying disk is copied and the UUID of this copy 758is changed. This is only applicable if all lower/upper/work directories are on 759the same filesystem, otherwise it will fallback to normal behaviour. 760 761 762UUID and fsid 763------------- 764 765The UUID of overlayfs instance itself and the fsid reported by statfs(2) are 766controlled by the "uuid" mount option, which supports these values: 767 768- "null": 769 UUID of overlayfs is null. fsid is taken from upper most filesystem. 770- "off": 771 UUID of overlayfs is null. fsid is taken from upper most filesystem. 772 UUID of underlying layers is ignored. 773- "on": 774 UUID of overlayfs is generated and used to report a unique fsid. 775 UUID is stored in xattr "trusted.overlay.uuid", making overlayfs fsid 776 unique and persistent. This option requires an overlayfs with upper 777 filesystem that supports xattrs. 778- "auto": (default) 779 UUID is taken from xattr "trusted.overlay.uuid" if it exists. 780 Upgrade to "uuid=on" on first time mount of new overlay filesystem that 781 meets the prerequites. 782 Downgrade to "uuid=null" for existing overlay filesystems that were never 783 mounted with "uuid=on". 784 785 786Volatile mount 787-------------- 788 789This is enabled with the "volatile" mount option. Volatile mounts are not 790guaranteed to survive a crash. It is strongly recommended that volatile 791mounts are only used if data written to the overlay can be recreated 792without significant effort. 793 794The advantage of mounting with the "volatile" option is that all forms of 795sync calls to the upper filesystem are omitted. 796 797In order to avoid a giving a false sense of safety, the syncfs (and fsync) 798semantics of volatile mounts are slightly different than that of the rest of 799VFS. If any writeback error occurs on the upperdir's filesystem after a 800volatile mount takes place, all sync functions will return an error. Once this 801condition is reached, the filesystem will not recover, and every subsequent sync 802call will return an error, even if the upperdir has not experience a new error 803since the last sync call. 804 805When overlay is mounted with "volatile" option, the directory 806"$workdir/work/incompat/volatile" is created. During next mount, overlay 807checks for this directory and refuses to mount if present. This is a strong 808indicator that user should throw away upper and work directories and create 809fresh one. In very limited cases where the user knows that the system has 810not crashed and contents of upperdir are intact, The "volatile" directory 811can be removed. 812 813 814User xattr 815---------- 816 817The "-o userxattr" mount option forces overlayfs to use the 818"user.overlay." xattr namespace instead of "trusted.overlay.". This is 819useful for unprivileged mounting of overlayfs. 820 821 822Testsuite 823--------- 824 825There's a testsuite originally developed by David Howells and currently 826maintained by Amir Goldstein at: 827 828https://github.com/amir73il/unionmount-testsuite.git 829 830Run as root:: 831 832 # cd unionmount-testsuite 833 # ./run --ov --verify 834