Overlay objects¶

The overlay filesystem approach is ‘hybrid’, because the objects thatappear in the filesystem do not always appear to belong to that filesystem.In many cases, an object accessed in theunionwill be indistinguishablefrom accessing the corresponding object from the original filesystem.This is most obvious from the ‘st_dev’ field returned by stat(2).

While directories will report an st_dev from the overlay-filesystem,non-directory objects may report an st_dev from the lower filesystem orupper filesystem that is providing the object. Similarly st_ino willonly be unique when combined with st_dev, and both of these can changeover the lifetime of a non-directory object. Many applications andtools ignore these values and will not be affected.

In the special case of all overlay layers on the same underlyingfilesystem, all objects will report an st_dev from the overlayfilesystem and st_ino from the underlying filesystem. This willmake the overlay mount more compliant with filesystem scanners andoverlay objects will be distinguishable from the correspondingobjects in the original filesystem.

On 64bit systems, even if all overlay layers are not on the sameunderlying filesystem, the same compliant behavior could be achievedwith the “xino” feature. The “xino” feature composes a unique objectidentifier from the real object st_ino and an underlying fsid number.The “xino” feature uses the high inode number bits for fsid, because theunderlying filesystems rarely use the high inode number bits. In casethe underlying inode number does overflow into the high xino bits, overlayfilesystem will fall back to the non xino behavior for that inode.

The “xino” feature can be enabled with the “-o xino=on” overlay mount option.If all underlying filesystems support NFS file handles, the value of st_inofor overlay filesystem objects is not only unique, but also persistent overthe lifetime of the filesystem. The “-o xino=auto” overlay mount optionenables the “xino” feature only if the persistent st_ino requirement is met.

The following table summarizes what can be expected in different overlayconfigurations.

Upper and Lower¶

An overlay filesystem combines two filesystems - an ‘upper’ filesystemand a ‘lower’ filesystem. When a name exists in both filesystems, theobject in the ‘upper’ filesystem is visible while the object in the‘lower’ filesystem is either hidden or, in the case of directories,merged with the ‘upper’ object.

It would be more correct to refer to an upper and lower ‘directorytree’ rather than ‘filesystem’ as it is quite possible for bothdirectory trees to be in the same filesystem and there is norequirement that the root of a filesystem be given for either upper orlower.

A wide range of filesystems supported by Linux can be the lower filesystem,but not all filesystems that are mountable by Linux have the featuresneeded for OverlayFS to work. The lower filesystem does not need to bewritable. The lower filesystem can even be another overlayfs. The upperfilesystem will normally be writable and if it is it must support thecreation of trusted.* and/or user.* extended attributes, and must providevalid d_type in readdir responses, so NFS is not suitable.

A read-only overlay of two read-only filesystems may use anyfilesystem type.

Directories¶

Overlaying mainly involves directories. If a given name appears in bothupper and lower filesystems and refers to a non-directory in either,then the lower object is hidden - the name refers only to the upperobject.

Where both upper and lower objects are directories, a merged directoryis formed.

At mount time, the two directories given as mount options “lowerdir” and“upperdir” are combined into a merged directory:

mount -t overlay overlay -olowerdir=/lower,upperdir=/upper,\workdir=/work /merged

The “workdir” needs to be an empty directory on the same filesystemas upperdir.

Then whenever a lookup is requested in such a merged directory, thelookup is performed in each actual directory and the combined resultis cached in the dentry belonging to the overlay filesystem. If bothactual lookups find directories, both are stored and a mergeddirectory is created, otherwise only one is stored: the upper if itexists, else the lower.

Only the lists of names from directories are merged. Other contentsuch as metadata and extended attributes are reported for the upperdirectory only. These attributes of the lower directory are hidden.

whiteouts and opaque directories¶

In order to support rm and rmdir without changing the lowerfilesystem, an overlay filesystem needs to record in the upper filesystemthat files have been removed. This is done using whiteouts and opaquedirectories (non-directories are always opaque).

A whiteout is created as a character device with 0/0 device number oras a zero-size regular file with the xattr “trusted.overlay.whiteout”.

When a whiteout is found in the upper level of a merged directory, anymatching name in the lower level is ignored, and the whiteout itselfis also hidden.

A directory is made opaque by setting the xattr “trusted.overlay.opaque”to “y”. Where the upper filesystem contains an opaque directory, anydirectory in the lower filesystem with the same name is ignored.

An opaque directory should not contain any whiteouts, because they do notserve any purpose. A merge directory containing regular files with the xattr“trusted.overlay.whiteout”, should be additionally marked by setting the xattr“trusted.overlay.opaque” to “x” on the merge directory itself.This is needed to avoid the overhead of checking the “trusted.overlay.whiteout”on all entries during readdir in the common case.

readdir¶

When a ‘readdir’ request is made on a merged directory, the upper andlower directories are each read and the name lists merged in theobvious way (upper is read first, then lower - entries that alreadyexist are not re-added). This merged name list is cached in the‘structfile’ and so remains as long as the file is kept open. If thedirectory is opened and read by two processes at the same time, theywill each have separate caches. A seekdir to the start of thedirectory (offset 0) followed by a readdir will cause the cache to bediscarded and rebuilt.

This means that changes to the merged directory do not appear while adirectory is being read. This is unlikely to be noticed by manyprograms.

seek offsets are assigned sequentially when the directories are read.Thus if:

• read part of a directory

• remember an offset, and close the directory

• re-open the directory some time later

• seek to the remembered offset

there may be little correlation between the old and new locations inthe list of filenames, particularly if anything has changed in thedirectory.

Readdir on directories that are not merged is simply handled by theunderlying directory (upper or lower).

renaming directories¶

When renaming a directory that is on the lower layer or merged (i.e. thedirectory was not created on the upper layer to start with) overlayfs canhandle it in two different ways:

1. return EXDEV error: this error is returned by rename(2) when trying tomove a file or directory across filesystem boundaries. Henceapplications are usually prepared to handle this error (mv(1) for examplerecursively copies the directory tree). This is the default behavior.

2. If the “redirect_dir” feature is enabled, then the directory will becopied up (but not the contents). Then the “trusted.overlay.redirect”extended attribute is set to the path of the original location from theroot of the overlay. Finally the directory is moved to the newlocation.

There are several ways to tune the “redirect_dir” feature.

Kernel config options:

• OVERLAY_FS_REDIRECT_DIR:

  If this is enabled, then redirect_dir is turned on by default.

• OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW:

  If this is enabled, then redirects are always followed by default. Enablingthis results in a less secure configuration. Enable this option only whenworried about backward compatibility with kernels that have the redirect_dirfeature and follow redirects even if turned off.

Module options (can also be changed through /sys/module/overlay/parameters/):

• “redirect_dir=BOOL”:

  See OVERLAY_FS_REDIRECT_DIR kernel config option above.

• “redirect_always_follow=BOOL”:

  See OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW kernel config option above.

• “redirect_max=NUM”:

  The maximum number of bytes in an absolute redirect (default is 256).

Mount options:

• “redirect_dir=on”:

  Redirects are enabled.

• “redirect_dir=follow”:

  Redirects are not created, but followed.

• “redirect_dir=nofollow”:

  Redirects are not created and not followed.

• “redirect_dir=off”:

  If “redirect_always_follow” is enabled in the kernel/module config,this “off” translates to “follow”, otherwise it translates to “nofollow”.

When the NFS export feature is enabled, every copied up directory isindexed by the file handle of the lower inode and a file handle of theupper directory is stored in a “trusted.overlay.upper” extended attributeon the index entry. On lookup of a merged directory, if the upperdirectory does not match the file handle stores in the index, that is anindication that multiple upper directories may be redirected to the samelower directory. In that case, lookup returns an error and warns abouta possible inconsistency.

Because lower layer redirects cannot be verified with the index, enablingNFS export support on an overlay filesystem with no upper layer requiresturning off redirect follow (e.g. “redirect_dir=nofollow”).

Non-directories¶

Objects that are not directories (files, symlinks, device-specialfiles etc.) are presented either from the upper or lower filesystem asappropriate. When a file in the lower filesystem is accessed in a waythat requires write-access, such as opening for write access, changingsome metadata etc., the file is first copied from the lower filesystemto the upper filesystem (copy_up). Note that creating a hard-linkalso requires copy_up, though of course creation of a symlink doesnot.

The copy_up may turn out to be unnecessary, for example if the file isopened for read-write but the data is not modified.

The copy_up process first makes sure that the containing directoryexists in the upper filesystem - creating it and any parents asnecessary. It then creates the object with the same metadata (owner,mode, mtime, symlink-target etc.) and then if the object is a file, thedata is copied from the lower to the upper filesystem. Finally anyextended attributes are copied up.

Once the copy_up is complete, the overlay filesystem simplyprovides direct access to the newly created file in the upperfilesystem - future operations on the file are barely noticed by theoverlay filesystem (though an operation on the name of the file such asrename or unlink will of course be noticed and handled).

Permission model¶

An overlay filesystem stashes credentials that will be used whenaccessing lower or upper filesystems.

In the old mount api the credentials of the task calling mount(2) arestashed. In the new mount api the credentials of the task creating thesuperblock through FSCONFIG_CMD_CREATE command of fsconfig(2) arestashed.

Starting with kernel v6.15 it is possible to use the “override_creds”mount option which will cause the credentials of the calling task to berecorded. Note that “override_creds” is only meaningful when used withthe new mount api as the old mount api combines setting options andsuperblock creation in a single mount(2) syscall.

Permission checking in the overlay filesystem follows these principles:

1. permission check SHOULD return the same result before and after copy up

2. task creating the overlay mount MUST NOT gain additional privileges

3. task[*] MAY gain additional privileges through the overlay,compared to direct access on underlying lower or upper filesystems

This is achieved by performing two permission checks on each access:

1. check if current task is allowed access based on local DAC (owner,group, mode and posix acl), as well as MAC checks

2. check if stashed credentials would be allowed real operation on lower orupper layer based on underlying filesystem permissions, again includingMAC checks

Check (a) ensures consistency (1) since owner, group, mode and posix aclsare copied up. On the other hand it can result in server enforcedpermissions (used by NFS, for example) being ignored (3).

Check (b) ensures that no task gains permissions to underlying layers thatthe stashed credentials do not have (2). This also means that it is possibleto create setups where the consistency rule (1) does not hold; normally,however, the stashed credentials will have sufficient privileges toperform all operations.

Another way to demonstrate this model is drawing parallels between:

mount -t overlay overlay -olowerdir=/lower,upperdir=/upper,... /merged

and:

cp -a /lower /uppermount --bind /upper /merged

The resulting access permissions should be the same. The difference is inthe time of copy (on-demand vs. up-front).

Multiple lower layers¶

Multiple lower layers can now be given using the colon (“:”) as aseparator character between the directory names. For example:

mount -t overlay overlay -olowerdir=/lower1:/lower2:/lower3 /merged

As the example shows, “upperdir=” and “workdir=” may be omitted. Inthat case the overlay will be read-only.

The specified lower directories will be stacked beginning from therightmost one and going left. In the above example lower1 will be thetop, lower2 the middle and lower3 the bottom layer.

Note: directory names containing colons can be provided as lower layer byescaping the colons with a single backslash. For example:

mount -t overlay overlay -olowerdir=/a\:lower\:\:dir /merged

Since kernel version v6.8, directory names containing colons can alsobe configured as lower layer using the “lowerdir+” mount options and thefsconfig syscall from new mount api. For example:

fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/a:lower::dir", 0);

In the latter case, colons in lower layer directory names will be escapedas an octal characters (072) when displayed in /proc/self/mountinfo.

Metadata only copy up¶

When the “metacopy” feature is enabled, overlayfs will only copyup metadata (as opposed to whole file), when a metadata specific operationlike chown/chmod is performed. An upper file in this state is marked with“trusted.overlayfs.metacopy” xattr which indicates that the upper filecontains no data. The data will be copied up later when file is opened forWRITE operation. After the lower file’s data is copied up,the “trusted.overlayfs.metacopy” xattr is removed from the upper file.

In other words, this is delayed data copy up operation and data is copiedup when there is a need to actually modify data.

There are multiple ways to enable/disable this feature. A config optionCONFIG_OVERLAY_FS_METACOPY can be set/unset to enable/disable this featureby default. Or one can enable/disable it at module load time with moduleparameter metacopy=on/off. Lastly, there is also a per mount optionmetacopy=on/off to enable/disable this feature per mount.

Do not use metacopy=on with untrusted upper/lower directories. Otherwiseit is possible that an attacker can create a handcrafted file withappropriate REDIRECT and METACOPY xattrs, and gain access to file on lowerpointed by REDIRECT. This should not be possible on local system as setting“trusted.” xattrs will require CAP_SYS_ADMIN. But it should be possiblefor untrusted layers like from a pen drive.

Note: redirect_dir={off|nofollow|follow[*]} and nfs_export=on mount optionsconflict with metacopy=on, and will result in an error.

[*] redirect_dir=follow only conflicts with metacopy=on if upperdir=... isgiven.

Data-only lower layers¶

With “metacopy” feature enabled, an overlayfs regular file may be a compositionof information from up to three different layers:

1. metadata from a file in the upper layer

2. st_ino and st_dev object identifier from a file in a lower layer

3. data from a file in another lower layer (further below)

The “lower data” file can be on any lower layer, except from the top mostlower layer.

Below the topmost lower layer, any number of lowermost layers may be definedas “data-only” lower layers, using double colon (“::”) separators.A normal lower layer is not allowed to be below a data-only layer, so singlecolon separators are not allowed to the right of double colon (“::”) separators.

For example:

mount -t overlay overlay -olowerdir=/l1:/l2:/l3::/do1::/do2 /merged

The paths of files in the “data-only” lower layers are not visible in themerged overlayfs directories and the metadata and st_ino/st_dev of filesin the “data-only” lower layers are not visible in overlayfs inodes.

Only the data of the files in the “data-only” lower layers may be visiblewhen a “metacopy” file in one of the lower layers above it, has a “redirect”to the absolute path of the “lower data” file in the “data-only” lower layer.

Instead of explicitly enabling “metacopy=on” it is sufficient to specify atleast one data-only layer to enable redirection of data to a data-only layer.In this case other forms of metacopy are rejected. Note: this way, data-onlylayers may be used together with “userxattr”, in which case careful attentionmust be given to privileges needed to change the “user.overlay.redirect” xattrto prevent misuse.

Since kernel version v6.8, “data-only” lower layers can also be added usingthe “datadir+” mount options and the fsconfig syscall from new mount api.For example:

fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/l1", 0);fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/l2", 0);fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/l3", 0);fsconfig(fs_fd, FSCONFIG_SET_STRING, "datadir+", "/do1", 0);fsconfig(fs_fd, FSCONFIG_SET_STRING, "datadir+", "/do2", 0);

Specifying layers via file descriptors¶

Since kernel v6.13, overlayfs supports specifying layers via file descriptors inaddition to specifying them as paths. This feature is available for the“datadir+”, “lowerdir+”, “upperdir”, and “workdir+” mount options with thefsconfig syscall from the new mount api:

fsconfig(fs_fd, FSCONFIG_SET_FD, "lowerdir+", NULL, fd_lower1);fsconfig(fs_fd, FSCONFIG_SET_FD, "lowerdir+", NULL, fd_lower2);fsconfig(fs_fd, FSCONFIG_SET_FD, "lowerdir+", NULL, fd_lower3);fsconfig(fs_fd, FSCONFIG_SET_FD, "datadir+", NULL, fd_data1);fsconfig(fs_fd, FSCONFIG_SET_FD, "datadir+", NULL, fd_data2);fsconfig(fs_fd, FSCONFIG_SET_FD, "workdir", NULL, fd_work);fsconfig(fs_fd, FSCONFIG_SET_FD, "upperdir", NULL, fd_upper);

fs-verity support¶

During metadata copy up of a lower file, if the source file hasfs-verity enabled and overlay verity support is enabled, then thedigest of the lower file is added to the “trusted.overlay.metacopy”xattr. This is then used to verify the content of the lower fileeach the time the metacopy file is opened.

When a layer containing verity xattrs is used, it means that any suchmetacopy file in the upper layer is guaranteed to match the contentthat was in the lower at the time of the copy-up. If at any time(during a mount, after a remount, etc) such a file in the lower isreplaced or modified in any way, access to the corresponding file inoverlayfs will result in EIO errors (either on open, due to overlayfsdigest check, or from a later read due to fs-verity) and a detailederror is printed to the kernel logs. For more details of how fs-verityfile access works, seeDocumentation/filesystems/fsverity.rst.

Verity can be used as a general robustness check to detect accidentalchanges in the overlayfs directories in use. But, with additional careit can also give more powerful guarantees. For example, if the upperlayer is fully trusted (by using dm-verity or something similar), thenan untrusted lower layer can be used to supply validated file contentfor all metacopy files. If additionally the untrusted lowerdirectories are specified as “Data-only”, then they can only supplysuch file content, and the entire mount can be trusted to match theupper layer.

This feature is controlled by the “verity” mount option, whichsupports these values:

• “off”:

  The metacopy digest is never generated or used. This is thedefault if verity option is not specified.

• “on”:

  Whenever a metacopy file specifies an expected digest, thecorresponding data file must match the specified digest. Whengenerating a metacopy file the verity digest will be set in itbased on the source file (if it has one).

• “require”:

  Same as “on”, but additionally all metacopy files must specify adigest (or EIO is returned on open). This means metadata copy upwill only be used if the data file has fs-verity enabled,otherwise a full copy-up is used.

Sharing and copying layers¶

Lower layers may be shared among several overlay mounts and that is indeeda very common practice. An overlay mount may use the same lower layerpath as another overlay mount and it may use a lower layer path that isbeneath or above the path of another overlay lower layer path.

Using an upper layer path and/or a workdir path that are already used byanother overlay mount is not allowed and may fail with EBUSY. Usingpartially overlapping paths is not allowed and may fail with EBUSY.If files are accessed from two overlayfs mounts which share or overlap theupper layer and/or workdir path, the behavior of the overlay is undefined,though it will not result in a crash or deadlock.

Mounting an overlay using an upper layer path, where the upper layer pathwas previously used by another mounted overlay in combination with adifferent lower layer path, is allowed, unless the “index” or “metacopy”features are enabled.

With the “index” feature, on the first time mount, an NFS filehandle of the lower layer root directory, along with the UUID of the lowerfilesystem, are encoded and stored in the “trusted.overlay.origin” extendedattribute on the upper layer root directory. On subsequent mount attempts,the lower root directory file handle and lower filesystem UUID are comparedto the stored origin in upper root directory. On failure to verify thelower root origin, mount will fail with ESTALE. An overlayfs mount with“index” enabled will fail with EOPNOTSUPP if the lower filesystemdoes not support NFS export, lower filesystem does not have a valid UUID orif the upper filesystem does not support extended attributes.

For the “metacopy” feature, there is no verification mechanism atmount time. So if same upper is mounted with different set of lower, mountprobably will succeed but expect the unexpected later on. So don’t do it.

It is quite a common practice to copy overlay layers to a differentdirectory tree on the same or different underlying filesystem, and evento a different machine. With the “index” feature, trying to mountthe copied layers will fail the verification of the lower root file handle.

Nesting overlayfs mounts¶

It is possible to use a lower directory that is stored on an overlayfsmount. For regular files this does not need any special care. However, filesthat have overlayfs attributes, such as whiteouts or “overlay.*” xattrs, willbe interpreted by the underlying overlayfs mount and stripped out. In order toallow the second overlayfs mount to see the attributes they must be escaped.

Overlayfs specific xattrs are escaped by using a special prefix of“overlay.overlay.”. So, a file with a “trusted.overlay.overlay.metacopy” xattrin the lower dir will be exposed as a regular file with a“trusted.overlay.metacopy” xattr in the overlayfs mount. This can be nested byrepeating the prefix multiple time, as each instance only removes one prefix.

A lower dir with a regular whiteout will always be handled by the overlayfsmount, so to support storing an effective whiteout file in an overlayfs mount analternative form of whiteout is supported. This form is a regular, zero-sizefile with the “overlay.whiteout” xattr set, inside a directory with the“overlay.opaque” xattr set to “x” (seewhiteouts and opaque directories).These alternative whiteouts are never created by overlayfs, but can be used byuserspace tools (like containers) that generate lower layers.These alternative whiteouts can be escaped using the standard xattr escapemechanism in order to properly nest to any depth.

Non-standard behavior¶

Current version of overlayfs can act as a mostly POSIX compliantfilesystem.

This is the list of cases that overlayfs doesn’t currently handle:

1. POSIX mandates updating st_atime for reads. This is currently notdone in the case when the file resides on a lower layer.

2. If a file residing on a lower layer is opened for read-only and thenmemory mapped with MAP_SHARED, then subsequent changes to the file are notreflected in the memory mapping.

3. If a file residing on a lower layer is being executed, then opening thatfile for write or truncating the file will not be denied with ETXTBSY.

The following options allow overlayfs to act more like a standardscompliant filesystem:

Changes to underlying filesystems¶

Changes to the underlying filesystems while part of a mounted overlayfilesystem are not allowed. If the underlying filesystem is changed,the behavior of the overlay is undefined, though it will not result ina crash or deadlock.

Offline changes, when the overlay is not mounted, are allowed to theupper tree. Offline changes to the lower tree are only allowed if the“metacopy”, “index”, “xino” and “redirect_dir” featureshave not been used. If the lower tree is modified and any of thesefeatures has been used, the behavior of the overlay is undefined,though it will not result in a crash or deadlock.

When the overlay NFS export feature is enabled, overlay filesystemsbehavior on offline changes of the underlying lower layer is differentthan the behavior when NFS export is disabled.

On every copy_up, an NFS file handle of the lower inode, along with theUUID of the lower filesystem, are encoded and stored in an extendedattribute “trusted.overlay.origin” on the upper inode.

When the NFS export feature is enabled, a lookup of a merged directory,that found a lower directory at the lookup path or at the path pointedto by the “trusted.overlay.redirect” extended attribute, will verifythat the found lower directory file handle and lower filesystem UUIDmatch the origin file handle that was stored at copy_up time. If afound lower directory does not match the stored origin, that directorywill not be merged with the upper directory.

NFS export¶

When the underlying filesystems supports NFS export and the “nfs_export”feature is enabled, an overlay filesystem may be exported to NFS.

With the “nfs_export” feature, on copy_up of any lower object, an indexentry is created under the index directory. The index entry name is thehexadecimal representation of the copy up origin file handle. For anon-directory object, the index entry is a hard link to the upper inode.For a directory object, the index entry has an extended attribute“trusted.overlay.upper” with an encoded file handle of the upperdirectory inode.

When encoding a file handle from an overlay filesystem object, thefollowing rules apply:

1. For a non-upper object, encode a lower file handle from lower inode

2. For an indexed object, encode a lower file handle from copy_up origin

3. For a pure-upper object and for an existing non-indexed upper object,encode an upper file handle from upper inode

The encoded overlay file handle includes:

• Header including path type information (e.g. lower/upper)

• UUID of the underlying filesystem

• Underlying filesystem encoding of underlying inode

This encoding format is identical to the encoding format file handles thatare stored in extended attribute “trusted.overlay.origin”.

When decoding an overlay file handle, the following steps are followed:

1. Find underlying layer by UUID and path type information.

2. Decode the underlying filesystem file handle to underlying dentry.

3. For a lower file handle, lookup the handle in index directory by name.

4. If a whiteout is found in index, return ESTALE. This represents anoverlay object that was deleted after its file handle was encoded.

5. For a non-directory, instantiate a disconnected overlay dentry from thedecoded underlying dentry, the path type and index inode, if found.

6. For a directory, use the connected underlying decoded dentry, path typeand index, to lookup a connected overlay dentry.

Decoding a non-directory file handle may return a disconnected dentry.copy_up of that disconnected dentry will create an upper index entry withno upper alias.

When overlay filesystem has multiple lower layers, a middle layerdirectory may have a “redirect” to lower directory. Because middle layer“redirects” are not indexed, a lower file handle that was encoded from the“redirect” origin directory, cannot be used to find the middle or upperlayer directory. Similarly, a lower file handle that was encoded from adescendant of the “redirect” origin directory, cannot be used toreconstruct a connected overlay path. To mitigate the cases ofdirectories that cannot be decoded from a lower file handle, thesedirectories are copied up on encode and encoded as an upper file handle.On an overlay filesystem with no upper layer this mitigation cannot beused NFS export in this setup requires turning off redirect follow (e.g.“redirect_dir=nofollow”).

The overlay filesystem does not support non-directory connectable filehandles, so exporting with the ‘subtree_check’ exportfs configuration willcause failures to lookup files over NFS.

When the NFS export feature is enabled, all directory index entries areverified on mount time to check that upper file handles are not stale.This verification may cause significant overhead in some cases.

Note: the mount options index=off,nfs_export=on are conflicting for aread-write mount and will result in an error.

Note: the mount option uuid=off can be used to replace UUID of the underlyingfilesystem in file handles with null, and effectively disable UUID checks. Thiscan be useful in case the underlying disk is copied and the UUID of this copyis changed. This is only applicable if all lower/upper/work directories are onthe same filesystem, otherwise it will fallback to normal behaviour.

UUID and fsid¶

The UUID of overlayfs instance itself and the fsid reported by statfs(2) arecontrolled by the “uuid” mount option, which supports these values:

• “null”:

  UUID of overlayfs is null. fsid is taken from upper most filesystem.

• “off”:

  UUID of overlayfs is null. fsid is taken from upper most filesystem.UUID of underlying layers is ignored.

• “on”:

  UUID of overlayfs is generated and used to report a unique fsid.UUID is stored in xattr “trusted.overlay.uuid”, making overlayfs fsidunique and persistent. This option requires an overlayfs with upperfilesystem that supports xattrs.

• “auto”: (default)

  UUID is taken from xattr “trusted.overlay.uuid” if it exists.Upgrade to “uuid=on” on first time mount of new overlay filesystem thatmeets the prerequisites.Downgrade to “uuid=null” for existing overlay filesystems that were nevermounted with “uuid=on”.

Volatile mount¶

This is enabled with the “volatile” mount option. Volatile mounts are notguaranteed to survive a crash. It is strongly recommended that volatilemounts are only used if data written to the overlay can be recreatedwithout significant effort.

The advantage of mounting with the “volatile” option is that all forms ofsync calls to the upper filesystem are omitted.

In order to avoid giving a false sense of safety, the syncfs (and fsync)semantics of volatile mounts are slightly different than that of the rest ofVFS. If any writeback error occurs on the upperdir’s filesystem after avolatile mount takes place, all sync functions will return an error. Once thiscondition is reached, the filesystem will not recover, and every subsequent synccall will return an error, even if the upperdir has not experienced a new errorsince the last sync call.

When overlay is mounted with “volatile” option, the directory“$workdir/work/incompat/volatile” is created. During next mount, overlaychecks for this directory and refuses to mount if present. This is a strongindicator that the user should discard upper and work directories and createfresh ones. In very limited cases where the user knows that the system hasnot crashed and contents of upperdir are intact, the “volatile” directorycan be removed.

User xattr¶

The “-o userxattr” mount option forces overlayfs to use the“user.overlay.” xattr namespace instead of “trusted.overlay.”. This isuseful for unprivileged mounting of overlayfs.

Testsuite¶

There’s a testsuite originally developed by David Howells and currentlymaintained by Amir Goldstein at:

https://github.com/amir73il/unionmount-testsuite.git

Run as root:

# cd unionmount-testsuite# ./run --ov --verify