xref: /linux/Documentation/filesystems/overlayfs.rst (revision eed4edda910fe34dfae8c6bfbcf57f4593a54295)
1.. SPDX-License-Identifier: GPL-2.0
2
3Written by: Neil Brown
4Please see MAINTAINERS file for where to send questions.
5
6Overlay Filesystem
7==================
8
9This document describes a prototype for a new approach to providing
10overlay-filesystem functionality in Linux (sometimes referred to as
11union-filesystems).  An overlay-filesystem tries to present a
12filesystem which is the result over overlaying one filesystem on top
13of the other.
14
15
16Overlay objects
17---------------
18
19The overlay filesystem approach is 'hybrid', because the objects that
20appear in the filesystem do not always appear to belong to that filesystem.
21In many cases, an object accessed in the union will be indistinguishable
22from accessing the corresponding object from the original filesystem.
23This is most obvious from the 'st_dev' field returned by stat(2).
24
25While directories will report an st_dev from the overlay-filesystem,
26non-directory objects may report an st_dev from the lower filesystem or
27upper filesystem that is providing the object.  Similarly st_ino will
28only be unique when combined with st_dev, and both of these can change
29over the lifetime of a non-directory object.  Many applications and
30tools ignore these values and will not be affected.
31
32In the special case of all overlay layers on the same underlying
33filesystem, all objects will report an st_dev from the overlay
34filesystem and st_ino from the underlying filesystem.  This will
35make the overlay mount more compliant with filesystem scanners and
36overlay objects will be distinguishable from the corresponding
37objects in the original filesystem.
38
39On 64bit systems, even if all overlay layers are not on the same
40underlying filesystem, the same compliant behavior could be achieved
41with the "xino" feature.  The "xino" feature composes a unique object
42identifier from the real object st_ino and an underlying fsid number.
43The "xino" feature uses the high inode number bits for fsid, because the
44underlying filesystems rarely use the high inode number bits.  In case
45the underlying inode number does overflow into the high xino bits, overlay
46filesystem will fall back to the non xino behavior for that inode.
47
48The "xino" feature can be enabled with the "-o xino=on" overlay mount option.
49If all underlying filesystems support NFS file handles, the value of st_ino
50for overlay filesystem objects is not only unique, but also persistent over
51the lifetime of the filesystem.  The "-o xino=auto" overlay mount option
52enables the "xino" feature only if the persistent st_ino requirement is met.
53
54The following table summarizes what can be expected in different overlay
55configurations.
56
57Inode properties
58````````````````
59
60+--------------+------------+------------+-----------------+----------------+
61|Configuration | Persistent | Uniform    | st_ino == d_ino | d_ino == i_ino |
62|              | st_ino     | st_dev     |                 | [*]            |
63+==============+=====+======+=====+======+========+========+========+=======+
64|              | dir | !dir | dir | !dir |  dir   +  !dir  |  dir   | !dir  |
65+--------------+-----+------+-----+------+--------+--------+--------+-------+
66| All layers   |  Y  |  Y   |  Y  |  Y   |  Y     |   Y    |  Y     |  Y    |
67| on same fs   |     |      |     |      |        |        |        |       |
68+--------------+-----+------+-----+------+--------+--------+--------+-------+
69| Layers not   |  N  |  N   |  Y  |  N   |  N     |   Y    |  N     |  Y    |
70| on same fs,  |     |      |     |      |        |        |        |       |
71| xino=off     |     |      |     |      |        |        |        |       |
72+--------------+-----+------+-----+------+--------+--------+--------+-------+
73| xino=on/auto |  Y  |  Y   |  Y  |  Y   |  Y     |   Y    |  Y     |  Y    |
74+--------------+-----+------+-----+------+--------+--------+--------+-------+
75| xino=on/auto,|  N  |  N   |  Y  |  N   |  N     |   Y    |  N     |  Y    |
76| ino overflow |     |      |     |      |        |        |        |       |
77+--------------+-----+------+-----+------+--------+--------+--------+-------+
78
79[*] nfsd v3 readdirplus verifies d_ino == i_ino. i_ino is exposed via several
80/proc files, such as /proc/locks and /proc/self/fdinfo/<fd> of an inotify
81file descriptor.
82
83Upper and Lower
84---------------
85
86An overlay filesystem combines two filesystems - an 'upper' filesystem
87and a 'lower' filesystem.  When a name exists in both filesystems, the
88object in the 'upper' filesystem is visible while the object in the
89'lower' filesystem is either hidden or, in the case of directories,
90merged with the 'upper' object.
91
92It would be more correct to refer to an upper and lower 'directory
93tree' rather than 'filesystem' as it is quite possible for both
94directory trees to be in the same filesystem and there is no
95requirement that the root of a filesystem be given for either upper or
96lower.
97
98A wide range of filesystems supported by Linux can be the lower filesystem,
99but not all filesystems that are mountable by Linux have the features
100needed for OverlayFS to work.  The lower filesystem does not need to be
101writable.  The lower filesystem can even be another overlayfs.  The upper
102filesystem will normally be writable and if it is it must support the
103creation of trusted.* and/or user.* extended attributes, and must provide
104valid d_type in readdir responses, so NFS is not suitable.
105
106A read-only overlay of two read-only filesystems may use any
107filesystem type.
108
109Directories
110-----------
111
112Overlaying mainly involves directories.  If a given name appears in both
113upper and lower filesystems and refers to a non-directory in either,
114then the lower object is hidden - the name refers only to the upper
115object.
116
117Where both upper and lower objects are directories, a merged directory
118is formed.
119
120At mount time, the two directories given as mount options "lowerdir" and
121"upperdir" are combined into a merged directory::
122
123  mount -t overlay overlay -olowerdir=/lower,upperdir=/upper,\
124  workdir=/work /merged
125
126The "workdir" needs to be an empty directory on the same filesystem
127as upperdir.
128
129Then whenever a lookup is requested in such a merged directory, the
130lookup is performed in each actual directory and the combined result
131is cached in the dentry belonging to the overlay filesystem.  If both
132actual lookups find directories, both are stored and a merged
133directory is created, otherwise only one is stored: the upper if it
134exists, else the lower.
135
136Only the lists of names from directories are merged.  Other content
137such as metadata and extended attributes are reported for the upper
138directory only.  These attributes of the lower directory are hidden.
139
140whiteouts and opaque directories
141--------------------------------
142
143In order to support rm and rmdir without changing the lower
144filesystem, an overlay filesystem needs to record in the upper filesystem
145that files have been removed.  This is done using whiteouts and opaque
146directories (non-directories are always opaque).
147
148A whiteout is created as a character device with 0/0 device number or
149as a zero-size regular file with the xattr "trusted.overlay.whiteout".
150
151When a whiteout is found in the upper level of a merged directory, any
152matching name in the lower level is ignored, and the whiteout itself
153is also hidden.
154
155A directory is made opaque by setting the xattr "trusted.overlay.opaque"
156to "y".  Where the upper filesystem contains an opaque directory, any
157directory in the lower filesystem with the same name is ignored.
158
159An opaque directory should not conntain any whiteouts, because they do not
160serve any purpose.  A merge directory containing regular files with the xattr
161"trusted.overlay.whiteout", should be additionally marked by setting the xattr
162"trusted.overlay.opaque" to "x" on the merge directory itself.
163This is needed to avoid the overhead of checking the "trusted.overlay.whiteout"
164on all entries during readdir in the common case.
165
166readdir
167-------
168
169When a 'readdir' request is made on a merged directory, the upper and
170lower directories are each read and the name lists merged in the
171obvious way (upper is read first, then lower - entries that already
172exist are not re-added).  This merged name list is cached in the
173'struct file' and so remains as long as the file is kept open.  If the
174directory is opened and read by two processes at the same time, they
175will each have separate caches.  A seekdir to the start of the
176directory (offset 0) followed by a readdir will cause the cache to be
177discarded and rebuilt.
178
179This means that changes to the merged directory do not appear while a
180directory is being read.  This is unlikely to be noticed by many
181programs.
182
183seek offsets are assigned sequentially when the directories are read.
184Thus if:
185
186 - read part of a directory
187 - remember an offset, and close the directory
188 - re-open the directory some time later
189 - seek to the remembered offset
190
191there may be little correlation between the old and new locations in
192the list of filenames, particularly if anything has changed in the
193directory.
194
195Readdir on directories that are not merged is simply handled by the
196underlying directory (upper or lower).
197
198renaming directories
199--------------------
200
201When renaming a directory that is on the lower layer or merged (i.e. the
202directory was not created on the upper layer to start with) overlayfs can
203handle it in two different ways:
204
2051. return EXDEV error: this error is returned by rename(2) when trying to
206   move a file or directory across filesystem boundaries.  Hence
207   applications are usually prepared to handle this error (mv(1) for example
208   recursively copies the directory tree).  This is the default behavior.
209
2102. If the "redirect_dir" feature is enabled, then the directory will be
211   copied up (but not the contents).  Then the "trusted.overlay.redirect"
212   extended attribute is set to the path of the original location from the
213   root of the overlay.  Finally the directory is moved to the new
214   location.
215
216There are several ways to tune the "redirect_dir" feature.
217
218Kernel config options:
219
220- OVERLAY_FS_REDIRECT_DIR:
221    If this is enabled, then redirect_dir is turned on by  default.
222- OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW:
223    If this is enabled, then redirects are always followed by default. Enabling
224    this results in a less secure configuration.  Enable this option only when
225    worried about backward compatibility with kernels that have the redirect_dir
226    feature and follow redirects even if turned off.
227
228Module options (can also be changed through /sys/module/overlay/parameters/):
229
230- "redirect_dir=BOOL":
231    See OVERLAY_FS_REDIRECT_DIR kernel config option above.
232- "redirect_always_follow=BOOL":
233    See OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW kernel config option above.
234- "redirect_max=NUM":
235    The maximum number of bytes in an absolute redirect (default is 256).
236
237Mount options:
238
239- "redirect_dir=on":
240    Redirects are enabled.
241- "redirect_dir=follow":
242    Redirects are not created, but followed.
243- "redirect_dir=nofollow":
244    Redirects are not created and not followed.
245- "redirect_dir=off":
246    If "redirect_always_follow" is enabled in the kernel/module config,
247    this "off" translates to "follow", otherwise it translates to "nofollow".
248
249When the NFS export feature is enabled, every copied up directory is
250indexed by the file handle of the lower inode and a file handle of the
251upper directory is stored in a "trusted.overlay.upper" extended attribute
252on the index entry.  On lookup of a merged directory, if the upper
253directory does not match the file handle stores in the index, that is an
254indication that multiple upper directories may be redirected to the same
255lower directory.  In that case, lookup returns an error and warns about
256a possible inconsistency.
257
258Because lower layer redirects cannot be verified with the index, enabling
259NFS export support on an overlay filesystem with no upper layer requires
260turning off redirect follow (e.g. "redirect_dir=nofollow").
261
262
263Non-directories
264---------------
265
266Objects that are not directories (files, symlinks, device-special
267files etc.) are presented either from the upper or lower filesystem as
268appropriate.  When a file in the lower filesystem is accessed in a way
269the requires write-access, such as opening for write access, changing
270some metadata etc., the file is first copied from the lower filesystem
271to the upper filesystem (copy_up).  Note that creating a hard-link
272also requires copy_up, though of course creation of a symlink does
273not.
274
275The copy_up may turn out to be unnecessary, for example if the file is
276opened for read-write but the data is not modified.
277
278The copy_up process first makes sure that the containing directory
279exists in the upper filesystem - creating it and any parents as
280necessary.  It then creates the object with the same metadata (owner,
281mode, mtime, symlink-target etc.) and then if the object is a file, the
282data is copied from the lower to the upper filesystem.  Finally any
283extended attributes are copied up.
284
285Once the copy_up is complete, the overlay filesystem simply
286provides direct access to the newly created file in the upper
287filesystem - future operations on the file are barely noticed by the
288overlay filesystem (though an operation on the name of the file such as
289rename or unlink will of course be noticed and handled).
290
291
292Permission model
293----------------
294
295Permission checking in the overlay filesystem follows these principles:
296
297 1) permission check SHOULD return the same result before and after copy up
298
299 2) task creating the overlay mount MUST NOT gain additional privileges
300
301 3) non-mounting task MAY gain additional privileges through the overlay,
302    compared to direct access on underlying lower or upper filesystems
303
304This is achieved by performing two permission checks on each access:
305
306 a) check if current task is allowed access based on local DAC (owner,
307    group, mode and posix acl), as well as MAC checks
308
309 b) check if mounting task would be allowed real operation on lower or
310    upper layer based on underlying filesystem permissions, again including
311    MAC checks
312
313Check (a) ensures consistency (1) since owner, group, mode and posix acls
314are copied up.  On the other hand it can result in server enforced
315permissions (used by NFS, for example) being ignored (3).
316
317Check (b) ensures that no task gains permissions to underlying layers that
318the mounting task does not have (2).  This also means that it is possible
319to create setups where the consistency rule (1) does not hold; normally,
320however, the mounting task will have sufficient privileges to perform all
321operations.
322
323Another way to demonstrate this model is drawing parallels between::
324
325  mount -t overlay overlay -olowerdir=/lower,upperdir=/upper,... /merged
326
327and::
328
329  cp -a /lower /upper
330  mount --bind /upper /merged
331
332The resulting access permissions should be the same.  The difference is in
333the time of copy (on-demand vs. up-front).
334
335
336Multiple lower layers
337---------------------
338
339Multiple lower layers can now be given using the colon (":") as a
340separator character between the directory names.  For example::
341
342  mount -t overlay overlay -olowerdir=/lower1:/lower2:/lower3 /merged
343
344As the example shows, "upperdir=" and "workdir=" may be omitted.  In
345that case the overlay will be read-only.
346
347The specified lower directories will be stacked beginning from the
348rightmost one and going left.  In the above example lower1 will be the
349top, lower2 the middle and lower3 the bottom layer.
350
351Note: directory names containing colons can be provided as lower layer by
352escaping the colons with a single backslash.  For example::
353
354  mount -t overlay overlay -olowerdir=/a\:lower\:\:dir /merged
355
356Since kernel version v6.8, directory names containing colons can also
357be configured as lower layer using the "lowerdir+" mount options and the
358fsconfig syscall from new mount api.  For example::
359
360  fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/a:lower::dir", 0);
361
362In the latter case, colons in lower layer directory names will be escaped
363as an octal characters (\072) when displayed in /proc/self/mountinfo.
364
365Metadata only copy up
366---------------------
367
368When the "metacopy" feature is enabled, overlayfs will only copy
369up metadata (as opposed to whole file), when a metadata specific operation
370like chown/chmod is performed. Full file will be copied up later when
371file is opened for WRITE operation.
372
373In other words, this is delayed data copy up operation and data is copied
374up when there is a need to actually modify data.
375
376There are multiple ways to enable/disable this feature. A config option
377CONFIG_OVERLAY_FS_METACOPY can be set/unset to enable/disable this feature
378by default. Or one can enable/disable it at module load time with module
379parameter metacopy=on/off. Lastly, there is also a per mount option
380metacopy=on/off to enable/disable this feature per mount.
381
382Do not use metacopy=on with untrusted upper/lower directories. Otherwise
383it is possible that an attacker can create a handcrafted file with
384appropriate REDIRECT and METACOPY xattrs, and gain access to file on lower
385pointed by REDIRECT. This should not be possible on local system as setting
386"trusted." xattrs will require CAP_SYS_ADMIN. But it should be possible
387for untrusted layers like from a pen drive.
388
389Note: redirect_dir={off|nofollow|follow[*]} and nfs_export=on mount options
390conflict with metacopy=on, and will result in an error.
391
392[*] redirect_dir=follow only conflicts with metacopy=on if upperdir=... is
393given.
394
395
396Data-only lower layers
397----------------------
398
399With "metacopy" feature enabled, an overlayfs regular file may be a composition
400of information from up to three different layers:
401
402 1) metadata from a file in the upper layer
403
404 2) st_ino and st_dev object identifier from a file in a lower layer
405
406 3) data from a file in another lower layer (further below)
407
408The "lower data" file can be on any lower layer, except from the top most
409lower layer.
410
411Below the top most lower layer, any number of lower most layers may be defined
412as "data-only" lower layers, using double colon ("::") separators.
413A normal lower layer is not allowed to be below a data-only layer, so single
414colon separators are not allowed to the right of double colon ("::") separators.
415
416
417For example::
418
419  mount -t overlay overlay -olowerdir=/l1:/l2:/l3::/do1::/do2 /merged
420
421The paths of files in the "data-only" lower layers are not visible in the
422merged overlayfs directories and the metadata and st_ino/st_dev of files
423in the "data-only" lower layers are not visible in overlayfs inodes.
424
425Only the data of the files in the "data-only" lower layers may be visible
426when a "metacopy" file in one of the lower layers above it, has a "redirect"
427to the absolute path of the "lower data" file in the "data-only" lower layer.
428
429Since kernel version v6.8, "data-only" lower layers can also be added using
430the "datadir+" mount options and the fsconfig syscall from new mount api.
431For example::
432
433  fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/l1", 0);
434  fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/l2", 0);
435  fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/l3", 0);
436  fsconfig(fs_fd, FSCONFIG_SET_STRING, "datadir+", "/do1", 0);
437  fsconfig(fs_fd, FSCONFIG_SET_STRING, "datadir+", "/do2", 0);
438
439
440fs-verity support
441-----------------
442
443During metadata copy up of a lower file, if the source file has
444fs-verity enabled and overlay verity support is enabled, then the
445digest of the lower file is added to the "trusted.overlay.metacopy"
446xattr. This is then used to verify the content of the lower file
447each the time the metacopy file is opened.
448
449When a layer containing verity xattrs is used, it means that any such
450metacopy file in the upper layer is guaranteed to match the content
451that was in the lower at the time of the copy-up. If at any time
452(during a mount, after a remount, etc) such a file in the lower is
453replaced or modified in any way, access to the corresponding file in
454overlayfs will result in EIO errors (either on open, due to overlayfs
455digest check, or from a later read due to fs-verity) and a detailed
456error is printed to the kernel logs. For more details of how fs-verity
457file access works, see :ref:`Documentation/filesystems/fsverity.rst
458<accessing_verity_files>`.
459
460Verity can be used as a general robustness check to detect accidental
461changes in the overlayfs directories in use. But, with additional care
462it can also give more powerful guarantees. For example, if the upper
463layer is fully trusted (by using dm-verity or something similar), then
464an untrusted lower layer can be used to supply validated file content
465for all metacopy files.  If additionally the untrusted lower
466directories are specified as "Data-only", then they can only supply
467such file content, and the entire mount can be trusted to match the
468upper layer.
469
470This feature is controlled by the "verity" mount option, which
471supports these values:
472
473- "off":
474    The metacopy digest is never generated or used. This is the
475    default if verity option is not specified.
476- "on":
477    Whenever a metacopy files specifies an expected digest, the
478    corresponding data file must match the specified digest. When
479    generating a metacopy file the verity digest will be set in it
480    based on the source file (if it has one).
481- "require":
482    Same as "on", but additionally all metacopy files must specify a
483    digest (or EIO is returned on open). This means metadata copy up
484    will only be used if the data file has fs-verity enabled,
485    otherwise a full copy-up is used.
486
487Sharing and copying layers
488--------------------------
489
490Lower layers may be shared among several overlay mounts and that is indeed
491a very common practice.  An overlay mount may use the same lower layer
492path as another overlay mount and it may use a lower layer path that is
493beneath or above the path of another overlay lower layer path.
494
495Using an upper layer path and/or a workdir path that are already used by
496another overlay mount is not allowed and may fail with EBUSY.  Using
497partially overlapping paths is not allowed and may fail with EBUSY.
498If files are accessed from two overlayfs mounts which share or overlap the
499upper layer and/or workdir path the behavior of the overlay is undefined,
500though it will not result in a crash or deadlock.
501
502Mounting an overlay using an upper layer path, where the upper layer path
503was previously used by another mounted overlay in combination with a
504different lower layer path, is allowed, unless the "index" or "metacopy"
505features are enabled.
506
507With the "index" feature, on the first time mount, an NFS file
508handle of the lower layer root directory, along with the UUID of the lower
509filesystem, are encoded and stored in the "trusted.overlay.origin" extended
510attribute on the upper layer root directory.  On subsequent mount attempts,
511the lower root directory file handle and lower filesystem UUID are compared
512to the stored origin in upper root directory.  On failure to verify the
513lower root origin, mount will fail with ESTALE.  An overlayfs mount with
514"index" enabled will fail with EOPNOTSUPP if the lower filesystem
515does not support NFS export, lower filesystem does not have a valid UUID or
516if the upper filesystem does not support extended attributes.
517
518For the "metacopy" feature, there is no verification mechanism at
519mount time. So if same upper is mounted with different set of lower, mount
520probably will succeed but expect the unexpected later on. So don't do it.
521
522It is quite a common practice to copy overlay layers to a different
523directory tree on the same or different underlying filesystem, and even
524to a different machine.  With the "index" feature, trying to mount
525the copied layers will fail the verification of the lower root file handle.
526
527Nesting overlayfs mounts
528------------------------
529
530It is possible to use a lower directory that is stored on an overlayfs
531mount. For regular files this does not need any special care. However, files
532that have overlayfs attributes, such as whiteouts or "overlay.*" xattrs will be
533interpreted by the underlying overlayfs mount and stripped out. In order to
534allow the second overlayfs mount to see the attributes they must be escaped.
535
536Overlayfs specific xattrs are escaped by using a special prefix of
537"overlay.overlay.". So, a file with a "trusted.overlay.overlay.metacopy" xattr
538in the lower dir will be exposed as a regular file with a
539"trusted.overlay.metacopy" xattr in the overlayfs mount. This can be nested by
540repeating the prefix multiple time, as each instance only removes one prefix.
541
542A lower dir with a regular whiteout will always be handled by the overlayfs
543mount, so to support storing an effective whiteout file in an overlayfs mount an
544alternative form of whiteout is supported. This form is a regular, zero-size
545file with the "overlay.whiteout" xattr set, inside a directory with the
546"overlay.opaque" xattr set to "x" (see `whiteouts and opaque directories`_).
547These alternative whiteouts are never created by overlayfs, but can be used by
548userspace tools (like containers) that generate lower layers.
549These alternative whiteouts can be escaped using the standard xattr escape
550mechanism in order to properly nest to any depth.
551
552Non-standard behavior
553---------------------
554
555Current version of overlayfs can act as a mostly POSIX compliant
556filesystem.
557
558This is the list of cases that overlayfs doesn't currently handle:
559
560 a) POSIX mandates updating st_atime for reads.  This is currently not
561    done in the case when the file resides on a lower layer.
562
563 b) If a file residing on a lower layer is opened for read-only and then
564    memory mapped with MAP_SHARED, then subsequent changes to the file are not
565    reflected in the memory mapping.
566
567 c) If a file residing on a lower layer is being executed, then opening that
568    file for write or truncating the file will not be denied with ETXTBSY.
569
570The following options allow overlayfs to act more like a standards
571compliant filesystem:
572
573redirect_dir
574````````````
575
576Enabled with the mount option or module option: "redirect_dir=on" or with
577the kernel config option CONFIG_OVERLAY_FS_REDIRECT_DIR=y.
578
579If this feature is disabled, then rename(2) on a lower or merged directory
580will fail with EXDEV ("Invalid cross-device link").
581
582index
583`````
584
585Enabled with the mount option or module option "index=on" or with the
586kernel config option CONFIG_OVERLAY_FS_INDEX=y.
587
588If this feature is disabled and a file with multiple hard links is copied
589up, then this will "break" the link.  Changes will not be propagated to
590other names referring to the same inode.
591
592xino
593````
594
595Enabled with the mount option "xino=auto" or "xino=on", with the module
596option "xino_auto=on" or with the kernel config option
597CONFIG_OVERLAY_FS_XINO_AUTO=y.  Also implicitly enabled by using the same
598underlying filesystem for all layers making up the overlay.
599
600If this feature is disabled or the underlying filesystem doesn't have
601enough free bits in the inode number, then overlayfs will not be able to
602guarantee that the values of st_ino and st_dev returned by stat(2) and the
603value of d_ino returned by readdir(3) will act like on a normal filesystem.
604E.g. the value of st_dev may be different for two objects in the same
605overlay filesystem and the value of st_ino for filesystem objects may not be
606persistent and could change even while the overlay filesystem is mounted, as
607summarized in the `Inode properties`_ table above.
608
609
610Changes to underlying filesystems
611---------------------------------
612
613Changes to the underlying filesystems while part of a mounted overlay
614filesystem are not allowed.  If the underlying filesystem is changed,
615the behavior of the overlay is undefined, though it will not result in
616a crash or deadlock.
617
618Offline changes, when the overlay is not mounted, are allowed to the
619upper tree.  Offline changes to the lower tree are only allowed if the
620"metacopy", "index", "xino" and "redirect_dir" features
621have not been used.  If the lower tree is modified and any of these
622features has been used, the behavior of the overlay is undefined,
623though it will not result in a crash or deadlock.
624
625When the overlay NFS export feature is enabled, overlay filesystems
626behavior on offline changes of the underlying lower layer is different
627than the behavior when NFS export is disabled.
628
629On every copy_up, an NFS file handle of the lower inode, along with the
630UUID of the lower filesystem, are encoded and stored in an extended
631attribute "trusted.overlay.origin" on the upper inode.
632
633When the NFS export feature is enabled, a lookup of a merged directory,
634that found a lower directory at the lookup path or at the path pointed
635to by the "trusted.overlay.redirect" extended attribute, will verify
636that the found lower directory file handle and lower filesystem UUID
637match the origin file handle that was stored at copy_up time.  If a
638found lower directory does not match the stored origin, that directory
639will not be merged with the upper directory.
640
641
642
643NFS export
644----------
645
646When the underlying filesystems supports NFS export and the "nfs_export"
647feature is enabled, an overlay filesystem may be exported to NFS.
648
649With the "nfs_export" feature, on copy_up of any lower object, an index
650entry is created under the index directory.  The index entry name is the
651hexadecimal representation of the copy up origin file handle.  For a
652non-directory object, the index entry is a hard link to the upper inode.
653For a directory object, the index entry has an extended attribute
654"trusted.overlay.upper" with an encoded file handle of the upper
655directory inode.
656
657When encoding a file handle from an overlay filesystem object, the
658following rules apply:
659
660 1. For a non-upper object, encode a lower file handle from lower inode
661 2. For an indexed object, encode a lower file handle from copy_up origin
662 3. For a pure-upper object and for an existing non-indexed upper object,
663    encode an upper file handle from upper inode
664
665The encoded overlay file handle includes:
666
667 - Header including path type information (e.g. lower/upper)
668 - UUID of the underlying filesystem
669 - Underlying filesystem encoding of underlying inode
670
671This encoding format is identical to the encoding format file handles that
672are stored in extended attribute "trusted.overlay.origin".
673
674When decoding an overlay file handle, the following steps are followed:
675
676 1. Find underlying layer by UUID and path type information.
677 2. Decode the underlying filesystem file handle to underlying dentry.
678 3. For a lower file handle, lookup the handle in index directory by name.
679 4. If a whiteout is found in index, return ESTALE. This represents an
680    overlay object that was deleted after its file handle was encoded.
681 5. For a non-directory, instantiate a disconnected overlay dentry from the
682    decoded underlying dentry, the path type and index inode, if found.
683 6. For a directory, use the connected underlying decoded dentry, path type
684    and index, to lookup a connected overlay dentry.
685
686Decoding a non-directory file handle may return a disconnected dentry.
687copy_up of that disconnected dentry will create an upper index entry with
688no upper alias.
689
690When overlay filesystem has multiple lower layers, a middle layer
691directory may have a "redirect" to lower directory.  Because middle layer
692"redirects" are not indexed, a lower file handle that was encoded from the
693"redirect" origin directory, cannot be used to find the middle or upper
694layer directory.  Similarly, a lower file handle that was encoded from a
695descendant of the "redirect" origin directory, cannot be used to
696reconstruct a connected overlay path.  To mitigate the cases of
697directories that cannot be decoded from a lower file handle, these
698directories are copied up on encode and encoded as an upper file handle.
699On an overlay filesystem with no upper layer this mitigation cannot be
700used NFS export in this setup requires turning off redirect follow (e.g.
701"redirect_dir=nofollow").
702
703The overlay filesystem does not support non-directory connectable file
704handles, so exporting with the 'subtree_check' exportfs configuration will
705cause failures to lookup files over NFS.
706
707When the NFS export feature is enabled, all directory index entries are
708verified on mount time to check that upper file handles are not stale.
709This verification may cause significant overhead in some cases.
710
711Note: the mount options index=off,nfs_export=on are conflicting for a
712read-write mount and will result in an error.
713
714Note: the mount option uuid=off can be used to replace UUID of the underlying
715filesystem in file handles with null, and effectively disable UUID checks. This
716can be useful in case the underlying disk is copied and the UUID of this copy
717is changed. This is only applicable if all lower/upper/work directories are on
718the same filesystem, otherwise it will fallback to normal behaviour.
719
720
721UUID and fsid
722-------------
723
724The UUID of overlayfs instance itself and the fsid reported by statfs(2) are
725controlled by the "uuid" mount option, which supports these values:
726
727- "null":
728    UUID of overlayfs is null. fsid is taken from upper most filesystem.
729- "off":
730    UUID of overlayfs is null. fsid is taken from upper most filesystem.
731    UUID of underlying layers is ignored.
732- "on":
733    UUID of overlayfs is generated and used to report a unique fsid.
734    UUID is stored in xattr "trusted.overlay.uuid", making overlayfs fsid
735    unique and persistent.  This option requires an overlayfs with upper
736    filesystem that supports xattrs.
737- "auto": (default)
738    UUID is taken from xattr "trusted.overlay.uuid" if it exists.
739    Upgrade to "uuid=on" on first time mount of new overlay filesystem that
740    meets the prerequites.
741    Downgrade to "uuid=null" for existing overlay filesystems that were never
742    mounted with "uuid=on".
743
744
745Volatile mount
746--------------
747
748This is enabled with the "volatile" mount option.  Volatile mounts are not
749guaranteed to survive a crash.  It is strongly recommended that volatile
750mounts are only used if data written to the overlay can be recreated
751without significant effort.
752
753The advantage of mounting with the "volatile" option is that all forms of
754sync calls to the upper filesystem are omitted.
755
756In order to avoid a giving a false sense of safety, the syncfs (and fsync)
757semantics of volatile mounts are slightly different than that of the rest of
758VFS.  If any writeback error occurs on the upperdir's filesystem after a
759volatile mount takes place, all sync functions will return an error.  Once this
760condition is reached, the filesystem will not recover, and every subsequent sync
761call will return an error, even if the upperdir has not experience a new error
762since the last sync call.
763
764When overlay is mounted with "volatile" option, the directory
765"$workdir/work/incompat/volatile" is created.  During next mount, overlay
766checks for this directory and refuses to mount if present. This is a strong
767indicator that user should throw away upper and work directories and create
768fresh one. In very limited cases where the user knows that the system has
769not crashed and contents of upperdir are intact, The "volatile" directory
770can be removed.
771
772
773User xattr
774----------
775
776The "-o userxattr" mount option forces overlayfs to use the
777"user.overlay." xattr namespace instead of "trusted.overlay.".  This is
778useful for unprivileged mounting of overlayfs.
779
780
781Testsuite
782---------
783
784There's a testsuite originally developed by David Howells and currently
785maintained by Amir Goldstein at:
786
787https://github.com/amir73il/unionmount-testsuite.git
788
789Run as root::
790
791  # cd unionmount-testsuite
792  # ./run --ov --verify
793