xref: /linux/Documentation/filesystems/overlayfs.rst (revision 3df692169e8486fc3dd91fcd5ea81c27a0bac033)
1.. SPDX-License-Identifier: GPL-2.0
2
3Written by: Neil Brown
4Please see MAINTAINERS file for where to send questions.
5
6Overlay Filesystem
7==================
8
9This document describes a prototype for a new approach to providing
10overlay-filesystem functionality in Linux (sometimes referred to as
11union-filesystems).  An overlay-filesystem tries to present a
12filesystem which is the result over overlaying one filesystem on top
13of the other.
14
15
16Overlay objects
17---------------
18
19The overlay filesystem approach is 'hybrid', because the objects that
20appear in the filesystem do not always appear to belong to that filesystem.
21In many cases, an object accessed in the union will be indistinguishable
22from accessing the corresponding object from the original filesystem.
23This is most obvious from the 'st_dev' field returned by stat(2).
24
25While directories will report an st_dev from the overlay-filesystem,
26non-directory objects may report an st_dev from the lower filesystem or
27upper filesystem that is providing the object.  Similarly st_ino will
28only be unique when combined with st_dev, and both of these can change
29over the lifetime of a non-directory object.  Many applications and
30tools ignore these values and will not be affected.
31
32In the special case of all overlay layers on the same underlying
33filesystem, all objects will report an st_dev from the overlay
34filesystem and st_ino from the underlying filesystem.  This will
35make the overlay mount more compliant with filesystem scanners and
36overlay objects will be distinguishable from the corresponding
37objects in the original filesystem.
38
39On 64bit systems, even if all overlay layers are not on the same
40underlying filesystem, the same compliant behavior could be achieved
41with the "xino" feature.  The "xino" feature composes a unique object
42identifier from the real object st_ino and an underlying fsid index.
43The "xino" feature uses the high inode number bits for fsid, because the
44underlying filesystems rarely use the high inode number bits.  In case
45the underlying inode number does overflow into the high xino bits, overlay
46filesystem will fall back to the non xino behavior for that inode.
47
48The "xino" feature can be enabled with the "-o xino=on" overlay mount option.
49If all underlying filesystems support NFS file handles, the value of st_ino
50for overlay filesystem objects is not only unique, but also persistent over
51the lifetime of the filesystem.  The "-o xino=auto" overlay mount option
52enables the "xino" feature only if the persistent st_ino requirement is met.
53
54The following table summarizes what can be expected in different overlay
55configurations.
56
57Inode properties
58````````````````
59
60+--------------+------------+------------+-----------------+----------------+
61|Configuration | Persistent | Uniform    | st_ino == d_ino | d_ino == i_ino |
62|              | st_ino     | st_dev     |                 | [*]            |
63+==============+=====+======+=====+======+========+========+========+=======+
64|              | dir | !dir | dir | !dir |  dir   +  !dir  |  dir   | !dir  |
65+--------------+-----+------+-----+------+--------+--------+--------+-------+
66| All layers   |  Y  |  Y   |  Y  |  Y   |  Y     |   Y    |  Y     |  Y    |
67| on same fs   |     |      |     |      |        |        |        |       |
68+--------------+-----+------+-----+------+--------+--------+--------+-------+
69| Layers not   |  N  |  N   |  Y  |  N   |  N     |   Y    |  N     |  Y    |
70| on same fs,  |     |      |     |      |        |        |        |       |
71| xino=off     |     |      |     |      |        |        |        |       |
72+--------------+-----+------+-----+------+--------+--------+--------+-------+
73| xino=on/auto |  Y  |  Y   |  Y  |  Y   |  Y     |   Y    |  Y     |  Y    |
74+--------------+-----+------+-----+------+--------+--------+--------+-------+
75| xino=on/auto,|  N  |  N   |  Y  |  N   |  N     |   Y    |  N     |  Y    |
76| ino overflow |     |      |     |      |        |        |        |       |
77+--------------+-----+------+-----+------+--------+--------+--------+-------+
78
79[*] nfsd v3 readdirplus verifies d_ino == i_ino. i_ino is exposed via several
80/proc files, such as /proc/locks and /proc/self/fdinfo/<fd> of an inotify
81file descriptor.
82
83Upper and Lower
84---------------
85
86An overlay filesystem combines two filesystems - an 'upper' filesystem
87and a 'lower' filesystem.  When a name exists in both filesystems, the
88object in the 'upper' filesystem is visible while the object in the
89'lower' filesystem is either hidden or, in the case of directories,
90merged with the 'upper' object.
91
92It would be more correct to refer to an upper and lower 'directory
93tree' rather than 'filesystem' as it is quite possible for both
94directory trees to be in the same filesystem and there is no
95requirement that the root of a filesystem be given for either upper or
96lower.
97
98A wide range of filesystems supported by Linux can be the lower filesystem,
99but not all filesystems that are mountable by Linux have the features
100needed for OverlayFS to work.  The lower filesystem does not need to be
101writable.  The lower filesystem can even be another overlayfs.  The upper
102filesystem will normally be writable and if it is it must support the
103creation of trusted.* and/or user.* extended attributes, and must provide
104valid d_type in readdir responses, so NFS is not suitable.
105
106A read-only overlay of two read-only filesystems may use any
107filesystem type.
108
109Directories
110-----------
111
112Overlaying mainly involves directories.  If a given name appears in both
113upper and lower filesystems and refers to a non-directory in either,
114then the lower object is hidden - the name refers only to the upper
115object.
116
117Where both upper and lower objects are directories, a merged directory
118is formed.
119
120At mount time, the two directories given as mount options "lowerdir" and
121"upperdir" are combined into a merged directory:
122
123  mount -t overlay overlay -olowerdir=/lower,upperdir=/upper,\
124  workdir=/work /merged
125
126The "workdir" needs to be an empty directory on the same filesystem
127as upperdir.
128
129Then whenever a lookup is requested in such a merged directory, the
130lookup is performed in each actual directory and the combined result
131is cached in the dentry belonging to the overlay filesystem.  If both
132actual lookups find directories, both are stored and a merged
133directory is created, otherwise only one is stored: the upper if it
134exists, else the lower.
135
136Only the lists of names from directories are merged.  Other content
137such as metadata and extended attributes are reported for the upper
138directory only.  These attributes of the lower directory are hidden.
139
140whiteouts and opaque directories
141--------------------------------
142
143In order to support rm and rmdir without changing the lower
144filesystem, an overlay filesystem needs to record in the upper filesystem
145that files have been removed.  This is done using whiteouts and opaque
146directories (non-directories are always opaque).
147
148A whiteout is created as a character device with 0/0 device number.
149When a whiteout is found in the upper level of a merged directory, any
150matching name in the lower level is ignored, and the whiteout itself
151is also hidden.
152
153A directory is made opaque by setting the xattr "trusted.overlay.opaque"
154to "y".  Where the upper filesystem contains an opaque directory, any
155directory in the lower filesystem with the same name is ignored.
156
157readdir
158-------
159
160When a 'readdir' request is made on a merged directory, the upper and
161lower directories are each read and the name lists merged in the
162obvious way (upper is read first, then lower - entries that already
163exist are not re-added).  This merged name list is cached in the
164'struct file' and so remains as long as the file is kept open.  If the
165directory is opened and read by two processes at the same time, they
166will each have separate caches.  A seekdir to the start of the
167directory (offset 0) followed by a readdir will cause the cache to be
168discarded and rebuilt.
169
170This means that changes to the merged directory do not appear while a
171directory is being read.  This is unlikely to be noticed by many
172programs.
173
174seek offsets are assigned sequentially when the directories are read.
175Thus if
176
177  - read part of a directory
178  - remember an offset, and close the directory
179  - re-open the directory some time later
180  - seek to the remembered offset
181
182there may be little correlation between the old and new locations in
183the list of filenames, particularly if anything has changed in the
184directory.
185
186Readdir on directories that are not merged is simply handled by the
187underlying directory (upper or lower).
188
189renaming directories
190--------------------
191
192When renaming a directory that is on the lower layer or merged (i.e. the
193directory was not created on the upper layer to start with) overlayfs can
194handle it in two different ways:
195
1961. return EXDEV error: this error is returned by rename(2) when trying to
197   move a file or directory across filesystem boundaries.  Hence
198   applications are usually prepared to handle this error (mv(1) for example
199   recursively copies the directory tree).  This is the default behavior.
200
2012. If the "redirect_dir" feature is enabled, then the directory will be
202   copied up (but not the contents).  Then the "trusted.overlay.redirect"
203   extended attribute is set to the path of the original location from the
204   root of the overlay.  Finally the directory is moved to the new
205   location.
206
207There are several ways to tune the "redirect_dir" feature.
208
209Kernel config options:
210
211- OVERLAY_FS_REDIRECT_DIR:
212    If this is enabled, then redirect_dir is turned on by  default.
213- OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW:
214    If this is enabled, then redirects are always followed by default. Enabling
215    this results in a less secure configuration.  Enable this option only when
216    worried about backward compatibility with kernels that have the redirect_dir
217    feature and follow redirects even if turned off.
218
219Module options (can also be changed through /sys/module/overlay/parameters/):
220
221- "redirect_dir=BOOL":
222    See OVERLAY_FS_REDIRECT_DIR kernel config option above.
223- "redirect_always_follow=BOOL":
224    See OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW kernel config option above.
225- "redirect_max=NUM":
226    The maximum number of bytes in an absolute redirect (default is 256).
227
228Mount options:
229
230- "redirect_dir=on":
231    Redirects are enabled.
232- "redirect_dir=follow":
233    Redirects are not created, but followed.
234- "redirect_dir=nofollow":
235    Redirects are not created and not followed.
236- "redirect_dir=off":
237    If "redirect_always_follow" is enabled in the kernel/module config,
238    this "off" translates to "follow", otherwise it translates to "nofollow".
239
240When the NFS export feature is enabled, every copied up directory is
241indexed by the file handle of the lower inode and a file handle of the
242upper directory is stored in a "trusted.overlay.upper" extended attribute
243on the index entry.  On lookup of a merged directory, if the upper
244directory does not match the file handle stores in the index, that is an
245indication that multiple upper directories may be redirected to the same
246lower directory.  In that case, lookup returns an error and warns about
247a possible inconsistency.
248
249Because lower layer redirects cannot be verified with the index, enabling
250NFS export support on an overlay filesystem with no upper layer requires
251turning off redirect follow (e.g. "redirect_dir=nofollow").
252
253
254Non-directories
255---------------
256
257Objects that are not directories (files, symlinks, device-special
258files etc.) are presented either from the upper or lower filesystem as
259appropriate.  When a file in the lower filesystem is accessed in a way
260the requires write-access, such as opening for write access, changing
261some metadata etc., the file is first copied from the lower filesystem
262to the upper filesystem (copy_up).  Note that creating a hard-link
263also requires copy_up, though of course creation of a symlink does
264not.
265
266The copy_up may turn out to be unnecessary, for example if the file is
267opened for read-write but the data is not modified.
268
269The copy_up process first makes sure that the containing directory
270exists in the upper filesystem - creating it and any parents as
271necessary.  It then creates the object with the same metadata (owner,
272mode, mtime, symlink-target etc.) and then if the object is a file, the
273data is copied from the lower to the upper filesystem.  Finally any
274extended attributes are copied up.
275
276Once the copy_up is complete, the overlay filesystem simply
277provides direct access to the newly created file in the upper
278filesystem - future operations on the file are barely noticed by the
279overlay filesystem (though an operation on the name of the file such as
280rename or unlink will of course be noticed and handled).
281
282
283Permission model
284----------------
285
286Permission checking in the overlay filesystem follows these principles:
287
288 1) permission check SHOULD return the same result before and after copy up
289
290 2) task creating the overlay mount MUST NOT gain additional privileges
291
292 3) non-mounting task MAY gain additional privileges through the overlay,
293 compared to direct access on underlying lower or upper filesystems
294
295This is achieved by performing two permission checks on each access
296
297 a) check if current task is allowed access based on local DAC (owner,
298    group, mode and posix acl), as well as MAC checks
299
300 b) check if mounting task would be allowed real operation on lower or
301    upper layer based on underlying filesystem permissions, again including
302    MAC checks
303
304Check (a) ensures consistency (1) since owner, group, mode and posix acls
305are copied up.  On the other hand it can result in server enforced
306permissions (used by NFS, for example) being ignored (3).
307
308Check (b) ensures that no task gains permissions to underlying layers that
309the mounting task does not have (2).  This also means that it is possible
310to create setups where the consistency rule (1) does not hold; normally,
311however, the mounting task will have sufficient privileges to perform all
312operations.
313
314Another way to demonstrate this model is drawing parallels between
315
316  mount -t overlay overlay -olowerdir=/lower,upperdir=/upper,... /merged
317
318and
319
320  cp -a /lower /upper
321  mount --bind /upper /merged
322
323The resulting access permissions should be the same.  The difference is in
324the time of copy (on-demand vs. up-front).
325
326
327Multiple lower layers
328---------------------
329
330Multiple lower layers can now be given using the colon (":") as a
331separator character between the directory names.  For example:
332
333  mount -t overlay overlay -olowerdir=/lower1:/lower2:/lower3 /merged
334
335As the example shows, "upperdir=" and "workdir=" may be omitted.  In
336that case the overlay will be read-only.
337
338The specified lower directories will be stacked beginning from the
339rightmost one and going left.  In the above example lower1 will be the
340top, lower2 the middle and lower3 the bottom layer.
341
342Note: directory names containing colons can be provided as lower layer by
343escaping the colons with a single backslash.  For example:
344
345  mount -t overlay overlay -olowerdir=/a\:lower\:\:dir /merged
346
347Since kernel version v6.8, directory names containing colons can also
348be configured as lower layer using the "lowerdir+" mount options and the
349fsconfig syscall from new mount api.  For example:
350
351  fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/a:lower::dir", 0);
352
353In the latter case, colons in lower layer directory names will be escaped
354as an octal characters (\072) when displayed in /proc/self/mountinfo.
355
356Metadata only copy up
357---------------------
358
359When metadata only copy up feature is enabled, overlayfs will only copy
360up metadata (as opposed to whole file), when a metadata specific operation
361like chown/chmod is performed. Full file will be copied up later when
362file is opened for WRITE operation.
363
364In other words, this is delayed data copy up operation and data is copied
365up when there is a need to actually modify data.
366
367There are multiple ways to enable/disable this feature. A config option
368CONFIG_OVERLAY_FS_METACOPY can be set/unset to enable/disable this feature
369by default. Or one can enable/disable it at module load time with module
370parameter metacopy=on/off. Lastly, there is also a per mount option
371metacopy=on/off to enable/disable this feature per mount.
372
373Do not use metacopy=on with untrusted upper/lower directories. Otherwise
374it is possible that an attacker can create a handcrafted file with
375appropriate REDIRECT and METACOPY xattrs, and gain access to file on lower
376pointed by REDIRECT. This should not be possible on local system as setting
377"trusted." xattrs will require CAP_SYS_ADMIN. But it should be possible
378for untrusted layers like from a pen drive.
379
380Note: redirect_dir={off|nofollow|follow[*]} and nfs_export=on mount options
381conflict with metacopy=on, and will result in an error.
382
383[*] redirect_dir=follow only conflicts with metacopy=on if upperdir=... is
384given.
385
386
387Data-only lower layers
388----------------------
389
390With "metacopy" feature enabled, an overlayfs regular file may be a composition
391of information from up to three different layers:
392
393 1) metadata from a file in the upper layer
394
395 2) st_ino and st_dev object identifier from a file in a lower layer
396
397 3) data from a file in another lower layer (further below)
398
399The "lower data" file can be on any lower layer, except from the top most
400lower layer.
401
402Below the top most lower layer, any number of lower most layers may be defined
403as "data-only" lower layers, using double colon ("::") separators.
404A normal lower layer is not allowed to be below a data-only layer, so single
405colon separators are not allowed to the right of double colon ("::") separators.
406
407
408For example:
409
410  mount -t overlay overlay -olowerdir=/l1:/l2:/l3::/do1::/do2 /merged
411
412The paths of files in the "data-only" lower layers are not visible in the
413merged overlayfs directories and the metadata and st_ino/st_dev of files
414in the "data-only" lower layers are not visible in overlayfs inodes.
415
416Only the data of the files in the "data-only" lower layers may be visible
417when a "metacopy" file in one of the lower layers above it, has a "redirect"
418to the absolute path of the "lower data" file in the "data-only" lower layer.
419
420Since kernel version v6.8, "data-only" lower layers can also be added using
421the "datadir+" mount options and the fsconfig syscall from new mount api.
422For example:
423
424  fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/l1", 0);
425  fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/l2", 0);
426  fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/l3", 0);
427  fsconfig(fs_fd, FSCONFIG_SET_STRING, "datadir+", "/do1", 0);
428  fsconfig(fs_fd, FSCONFIG_SET_STRING, "datadir+", "/do2", 0);
429
430
431fs-verity support
432----------------------
433
434During metadata copy up of a lower file, if the source file has
435fs-verity enabled and overlay verity support is enabled, then the
436digest of the lower file is added to the "trusted.overlay.metacopy"
437xattr. This is then used to verify the content of the lower file
438each the time the metacopy file is opened.
439
440When a layer containing verity xattrs is used, it means that any such
441metacopy file in the upper layer is guaranteed to match the content
442that was in the lower at the time of the copy-up. If at any time
443(during a mount, after a remount, etc) such a file in the lower is
444replaced or modified in any way, access to the corresponding file in
445overlayfs will result in EIO errors (either on open, due to overlayfs
446digest check, or from a later read due to fs-verity) and a detailed
447error is printed to the kernel logs. For more details of how fs-verity
448file access works, see :ref:`Documentation/filesystems/fsverity.rst
449<accessing_verity_files>`.
450
451Verity can be used as a general robustness check to detect accidental
452changes in the overlayfs directories in use. But, with additional care
453it can also give more powerful guarantees. For example, if the upper
454layer is fully trusted (by using dm-verity or something similar), then
455an untrusted lower layer can be used to supply validated file content
456for all metacopy files.  If additionally the untrusted lower
457directories are specified as "Data-only", then they can only supply
458such file content, and the entire mount can be trusted to match the
459upper layer.
460
461This feature is controlled by the "verity" mount option, which
462supports these values:
463
464- "off":
465    The metacopy digest is never generated or used. This is the
466    default if verity option is not specified.
467- "on":
468    Whenever a metacopy files specifies an expected digest, the
469    corresponding data file must match the specified digest. When
470    generating a metacopy file the verity digest will be set in it
471    based on the source file (if it has one).
472- "require":
473    Same as "on", but additionally all metacopy files must specify a
474    digest (or EIO is returned on open). This means metadata copy up
475    will only be used if the data file has fs-verity enabled,
476    otherwise a full copy-up is used.
477
478Sharing and copying layers
479--------------------------
480
481Lower layers may be shared among several overlay mounts and that is indeed
482a very common practice.  An overlay mount may use the same lower layer
483path as another overlay mount and it may use a lower layer path that is
484beneath or above the path of another overlay lower layer path.
485
486Using an upper layer path and/or a workdir path that are already used by
487another overlay mount is not allowed and may fail with EBUSY.  Using
488partially overlapping paths is not allowed and may fail with EBUSY.
489If files are accessed from two overlayfs mounts which share or overlap the
490upper layer and/or workdir path the behavior of the overlay is undefined,
491though it will not result in a crash or deadlock.
492
493Mounting an overlay using an upper layer path, where the upper layer path
494was previously used by another mounted overlay in combination with a
495different lower layer path, is allowed, unless the "inodes index" feature
496or "metadata only copy up" feature is enabled.
497
498With the "inodes index" feature, on the first time mount, an NFS file
499handle of the lower layer root directory, along with the UUID of the lower
500filesystem, are encoded and stored in the "trusted.overlay.origin" extended
501attribute on the upper layer root directory.  On subsequent mount attempts,
502the lower root directory file handle and lower filesystem UUID are compared
503to the stored origin in upper root directory.  On failure to verify the
504lower root origin, mount will fail with ESTALE.  An overlayfs mount with
505"inodes index" enabled will fail with EOPNOTSUPP if the lower filesystem
506does not support NFS export, lower filesystem does not have a valid UUID or
507if the upper filesystem does not support extended attributes.
508
509For "metadata only copy up" feature there is no verification mechanism at
510mount time. So if same upper is mounted with different set of lower, mount
511probably will succeed but expect the unexpected later on. So don't do it.
512
513It is quite a common practice to copy overlay layers to a different
514directory tree on the same or different underlying filesystem, and even
515to a different machine.  With the "inodes index" feature, trying to mount
516the copied layers will fail the verification of the lower root file handle.
517
518Nesting overlayfs mounts
519------------------------
520
521It is possible to use a lower directory that is stored on an overlayfs
522mount. For regular files this does not need any special care. However, files
523that have overlayfs attributes, such as whiteouts or "overlay.*" xattrs will be
524interpreted by the underlying overlayfs mount and stripped out. In order to
525allow the second overlayfs mount to see the attributes they must be escaped.
526
527Overlayfs specific xattrs are escaped by using a special prefix of
528"overlay.overlay.". So, a file with a "trusted.overlay.overlay.metacopy" xattr
529in the lower dir will be exposed as a regular file with a
530"trusted.overlay.metacopy" xattr in the overlayfs mount. This can be nested by
531repeating the prefix multiple time, as each instance only removes one prefix.
532
533A lower dir with a regular whiteout will always be handled by the overlayfs
534mount, so to support storing an effective whiteout file in an overlayfs mount an
535alternative form of whiteout is supported. This form is a regular, zero-size
536file with the "overlay.whiteout" xattr set, inside a directory with the
537"overlay.whiteouts" xattr set. Such whiteouts are never created by overlayfs,
538but can be used by userspace tools (like containers) that generate lower layers.
539These alternative whiteouts can be escaped using the standard xattr escape
540mechanism in order to properly nest to any depth.
541
542Non-standard behavior
543---------------------
544
545Current version of overlayfs can act as a mostly POSIX compliant
546filesystem.
547
548This is the list of cases that overlayfs doesn't currently handle:
549
550a) POSIX mandates updating st_atime for reads.  This is currently not
551done in the case when the file resides on a lower layer.
552
553b) If a file residing on a lower layer is opened for read-only and then
554memory mapped with MAP_SHARED, then subsequent changes to the file are not
555reflected in the memory mapping.
556
557c) If a file residing on a lower layer is being executed, then opening that
558file for write or truncating the file will not be denied with ETXTBSY.
559
560The following options allow overlayfs to act more like a standards
561compliant filesystem:
562
5631) "redirect_dir"
564
565Enabled with the mount option or module option: "redirect_dir=on" or with
566the kernel config option CONFIG_OVERLAY_FS_REDIRECT_DIR=y.
567
568If this feature is disabled, then rename(2) on a lower or merged directory
569will fail with EXDEV ("Invalid cross-device link").
570
5712) "inode index"
572
573Enabled with the mount option or module option "index=on" or with the
574kernel config option CONFIG_OVERLAY_FS_INDEX=y.
575
576If this feature is disabled and a file with multiple hard links is copied
577up, then this will "break" the link.  Changes will not be propagated to
578other names referring to the same inode.
579
5803) "xino"
581
582Enabled with the mount option "xino=auto" or "xino=on", with the module
583option "xino_auto=on" or with the kernel config option
584CONFIG_OVERLAY_FS_XINO_AUTO=y.  Also implicitly enabled by using the same
585underlying filesystem for all layers making up the overlay.
586
587If this feature is disabled or the underlying filesystem doesn't have
588enough free bits in the inode number, then overlayfs will not be able to
589guarantee that the values of st_ino and st_dev returned by stat(2) and the
590value of d_ino returned by readdir(3) will act like on a normal filesystem.
591E.g. the value of st_dev may be different for two objects in the same
592overlay filesystem and the value of st_ino for filesystem objects may not be
593persistent and could change even while the overlay filesystem is mounted, as
594summarized in the `Inode properties`_ table above.
595
596
597Changes to underlying filesystems
598---------------------------------
599
600Changes to the underlying filesystems while part of a mounted overlay
601filesystem are not allowed.  If the underlying filesystem is changed,
602the behavior of the overlay is undefined, though it will not result in
603a crash or deadlock.
604
605Offline changes, when the overlay is not mounted, are allowed to the
606upper tree.  Offline changes to the lower tree are only allowed if the
607"metadata only copy up", "inode index", "xino" and "redirect_dir" features
608have not been used.  If the lower tree is modified and any of these
609features has been used, the behavior of the overlay is undefined,
610though it will not result in a crash or deadlock.
611
612When the overlay NFS export feature is enabled, overlay filesystems
613behavior on offline changes of the underlying lower layer is different
614than the behavior when NFS export is disabled.
615
616On every copy_up, an NFS file handle of the lower inode, along with the
617UUID of the lower filesystem, are encoded and stored in an extended
618attribute "trusted.overlay.origin" on the upper inode.
619
620When the NFS export feature is enabled, a lookup of a merged directory,
621that found a lower directory at the lookup path or at the path pointed
622to by the "trusted.overlay.redirect" extended attribute, will verify
623that the found lower directory file handle and lower filesystem UUID
624match the origin file handle that was stored at copy_up time.  If a
625found lower directory does not match the stored origin, that directory
626will not be merged with the upper directory.
627
628
629
630NFS export
631----------
632
633When the underlying filesystems supports NFS export and the "nfs_export"
634feature is enabled, an overlay filesystem may be exported to NFS.
635
636With the "nfs_export" feature, on copy_up of any lower object, an index
637entry is created under the index directory.  The index entry name is the
638hexadecimal representation of the copy up origin file handle.  For a
639non-directory object, the index entry is a hard link to the upper inode.
640For a directory object, the index entry has an extended attribute
641"trusted.overlay.upper" with an encoded file handle of the upper
642directory inode.
643
644When encoding a file handle from an overlay filesystem object, the
645following rules apply:
646
6471. For a non-upper object, encode a lower file handle from lower inode
6482. For an indexed object, encode a lower file handle from copy_up origin
6493. For a pure-upper object and for an existing non-indexed upper object,
650   encode an upper file handle from upper inode
651
652The encoded overlay file handle includes:
653 - Header including path type information (e.g. lower/upper)
654 - UUID of the underlying filesystem
655 - Underlying filesystem encoding of underlying inode
656
657This encoding format is identical to the encoding format file handles that
658are stored in extended attribute "trusted.overlay.origin".
659
660When decoding an overlay file handle, the following steps are followed:
661
6621. Find underlying layer by UUID and path type information.
6632. Decode the underlying filesystem file handle to underlying dentry.
6643. For a lower file handle, lookup the handle in index directory by name.
6654. If a whiteout is found in index, return ESTALE. This represents an
666   overlay object that was deleted after its file handle was encoded.
6675. For a non-directory, instantiate a disconnected overlay dentry from the
668   decoded underlying dentry, the path type and index inode, if found.
6696. For a directory, use the connected underlying decoded dentry, path type
670   and index, to lookup a connected overlay dentry.
671
672Decoding a non-directory file handle may return a disconnected dentry.
673copy_up of that disconnected dentry will create an upper index entry with
674no upper alias.
675
676When overlay filesystem has multiple lower layers, a middle layer
677directory may have a "redirect" to lower directory.  Because middle layer
678"redirects" are not indexed, a lower file handle that was encoded from the
679"redirect" origin directory, cannot be used to find the middle or upper
680layer directory.  Similarly, a lower file handle that was encoded from a
681descendant of the "redirect" origin directory, cannot be used to
682reconstruct a connected overlay path.  To mitigate the cases of
683directories that cannot be decoded from a lower file handle, these
684directories are copied up on encode and encoded as an upper file handle.
685On an overlay filesystem with no upper layer this mitigation cannot be
686used NFS export in this setup requires turning off redirect follow (e.g.
687"redirect_dir=nofollow").
688
689The overlay filesystem does not support non-directory connectable file
690handles, so exporting with the 'subtree_check' exportfs configuration will
691cause failures to lookup files over NFS.
692
693When the NFS export feature is enabled, all directory index entries are
694verified on mount time to check that upper file handles are not stale.
695This verification may cause significant overhead in some cases.
696
697Note: the mount options index=off,nfs_export=on are conflicting for a
698read-write mount and will result in an error.
699
700Note: the mount option uuid=off can be used to replace UUID of the underlying
701filesystem in file handles with null, and effectively disable UUID checks. This
702can be useful in case the underlying disk is copied and the UUID of this copy
703is changed. This is only applicable if all lower/upper/work directories are on
704the same filesystem, otherwise it will fallback to normal behaviour.
705
706
707UUID and fsid
708-------------
709
710The UUID of overlayfs instance itself and the fsid reported by statfs(2) are
711controlled by the "uuid" mount option, which supports these values:
712
713- "null":
714    UUID of overlayfs is null. fsid is taken from upper most filesystem.
715- "off":
716    UUID of overlayfs is null. fsid is taken from upper most filesystem.
717    UUID of underlying layers is ignored.
718- "on":
719    UUID of overlayfs is generated and used to report a unique fsid.
720    UUID is stored in xattr "trusted.overlay.uuid", making overlayfs fsid
721    unique and persistent.  This option requires an overlayfs with upper
722    filesystem that supports xattrs.
723- "auto": (default)
724    UUID is taken from xattr "trusted.overlay.uuid" if it exists.
725    Upgrade to "uuid=on" on first time mount of new overlay filesystem that
726    meets the prerequites.
727    Downgrade to "uuid=null" for existing overlay filesystems that were never
728    mounted with "uuid=on".
729
730
731Volatile mount
732--------------
733
734This is enabled with the "volatile" mount option.  Volatile mounts are not
735guaranteed to survive a crash.  It is strongly recommended that volatile
736mounts are only used if data written to the overlay can be recreated
737without significant effort.
738
739The advantage of mounting with the "volatile" option is that all forms of
740sync calls to the upper filesystem are omitted.
741
742In order to avoid a giving a false sense of safety, the syncfs (and fsync)
743semantics of volatile mounts are slightly different than that of the rest of
744VFS.  If any writeback error occurs on the upperdir's filesystem after a
745volatile mount takes place, all sync functions will return an error.  Once this
746condition is reached, the filesystem will not recover, and every subsequent sync
747call will return an error, even if the upperdir has not experience a new error
748since the last sync call.
749
750When overlay is mounted with "volatile" option, the directory
751"$workdir/work/incompat/volatile" is created.  During next mount, overlay
752checks for this directory and refuses to mount if present. This is a strong
753indicator that user should throw away upper and work directories and create
754fresh one. In very limited cases where the user knows that the system has
755not crashed and contents of upperdir are intact, The "volatile" directory
756can be removed.
757
758
759User xattr
760----------
761
762The "-o userxattr" mount option forces overlayfs to use the
763"user.overlay." xattr namespace instead of "trusted.overlay.".  This is
764useful for unprivileged mounting of overlayfs.
765
766
767Testsuite
768---------
769
770There's a testsuite originally developed by David Howells and currently
771maintained by Amir Goldstein at:
772
773  https://github.com/amir73il/unionmount-testsuite.git
774
775Run as root:
776
777  # cd unionmount-testsuite
778  # ./run --ov --verify
779