1.. SPDX-License-Identifier: GPL-2.0 2 3Written by: Neil Brown 4Please see MAINTAINERS file for where to send questions. 5 6Overlay Filesystem 7================== 8 9This document describes a prototype for a new approach to providing 10overlay-filesystem functionality in Linux (sometimes referred to as 11union-filesystems). An overlay-filesystem tries to present a 12filesystem which is the result over overlaying one filesystem on top 13of the other. 14 15 16Overlay objects 17--------------- 18 19The overlay filesystem approach is 'hybrid', because the objects that 20appear in the filesystem do not always appear to belong to that filesystem. 21In many cases, an object accessed in the union will be indistinguishable 22from accessing the corresponding object from the original filesystem. 23This is most obvious from the 'st_dev' field returned by stat(2). 24 25While directories will report an st_dev from the overlay-filesystem, 26non-directory objects may report an st_dev from the lower filesystem or 27upper filesystem that is providing the object. Similarly st_ino will 28only be unique when combined with st_dev, and both of these can change 29over the lifetime of a non-directory object. Many applications and 30tools ignore these values and will not be affected. 31 32In the special case of all overlay layers on the same underlying 33filesystem, all objects will report an st_dev from the overlay 34filesystem and st_ino from the underlying filesystem. This will 35make the overlay mount more compliant with filesystem scanners and 36overlay objects will be distinguishable from the corresponding 37objects in the original filesystem. 38 39On 64bit systems, even if all overlay layers are not on the same 40underlying filesystem, the same compliant behavior could be achieved 41with the "xino" feature. The "xino" feature composes a unique object 42identifier from the real object st_ino and an underlying fsid index. 43The "xino" feature uses the high inode number bits for fsid, because the 44underlying filesystems rarely use the high inode number bits. In case 45the underlying inode number does overflow into the high xino bits, overlay 46filesystem will fall back to the non xino behavior for that inode. 47 48The "xino" feature can be enabled with the "-o xino=on" overlay mount option. 49If all underlying filesystems support NFS file handles, the value of st_ino 50for overlay filesystem objects is not only unique, but also persistent over 51the lifetime of the filesystem. The "-o xino=auto" overlay mount option 52enables the "xino" feature only if the persistent st_ino requirement is met. 53 54The following table summarizes what can be expected in different overlay 55configurations. 56 57Inode properties 58```````````````` 59 60+--------------+------------+------------+-----------------+----------------+ 61|Configuration | Persistent | Uniform | st_ino == d_ino | d_ino == i_ino | 62| | st_ino | st_dev | | [*] | 63+==============+=====+======+=====+======+========+========+========+=======+ 64| | dir | !dir | dir | !dir | dir + !dir | dir | !dir | 65+--------------+-----+------+-----+------+--------+--------+--------+-------+ 66| All layers | Y | Y | Y | Y | Y | Y | Y | Y | 67| on same fs | | | | | | | | | 68+--------------+-----+------+-----+------+--------+--------+--------+-------+ 69| Layers not | N | N | Y | N | N | Y | N | Y | 70| on same fs, | | | | | | | | | 71| xino=off | | | | | | | | | 72+--------------+-----+------+-----+------+--------+--------+--------+-------+ 73| xino=on/auto | Y | Y | Y | Y | Y | Y | Y | Y | 74+--------------+-----+------+-----+------+--------+--------+--------+-------+ 75| xino=on/auto,| N | N | Y | N | N | Y | N | Y | 76| ino overflow | | | | | | | | | 77+--------------+-----+------+-----+------+--------+--------+--------+-------+ 78 79[*] nfsd v3 readdirplus verifies d_ino == i_ino. i_ino is exposed via several 80/proc files, such as /proc/locks and /proc/self/fdinfo/<fd> of an inotify 81file descriptor. 82 83Upper and Lower 84--------------- 85 86An overlay filesystem combines two filesystems - an 'upper' filesystem 87and a 'lower' filesystem. When a name exists in both filesystems, the 88object in the 'upper' filesystem is visible while the object in the 89'lower' filesystem is either hidden or, in the case of directories, 90merged with the 'upper' object. 91 92It would be more correct to refer to an upper and lower 'directory 93tree' rather than 'filesystem' as it is quite possible for both 94directory trees to be in the same filesystem and there is no 95requirement that the root of a filesystem be given for either upper or 96lower. 97 98A wide range of filesystems supported by Linux can be the lower filesystem, 99but not all filesystems that are mountable by Linux have the features 100needed for OverlayFS to work. The lower filesystem does not need to be 101writable. The lower filesystem can even be another overlayfs. The upper 102filesystem will normally be writable and if it is it must support the 103creation of trusted.* and/or user.* extended attributes, and must provide 104valid d_type in readdir responses, so NFS is not suitable. 105 106A read-only overlay of two read-only filesystems may use any 107filesystem type. 108 109Directories 110----------- 111 112Overlaying mainly involves directories. If a given name appears in both 113upper and lower filesystems and refers to a non-directory in either, 114then the lower object is hidden - the name refers only to the upper 115object. 116 117Where both upper and lower objects are directories, a merged directory 118is formed. 119 120At mount time, the two directories given as mount options "lowerdir" and 121"upperdir" are combined into a merged directory: 122 123 mount -t overlay overlay -olowerdir=/lower,upperdir=/upper,\ 124 workdir=/work /merged 125 126The "workdir" needs to be an empty directory on the same filesystem 127as upperdir. 128 129Then whenever a lookup is requested in such a merged directory, the 130lookup is performed in each actual directory and the combined result 131is cached in the dentry belonging to the overlay filesystem. If both 132actual lookups find directories, both are stored and a merged 133directory is created, otherwise only one is stored: the upper if it 134exists, else the lower. 135 136Only the lists of names from directories are merged. Other content 137such as metadata and extended attributes are reported for the upper 138directory only. These attributes of the lower directory are hidden. 139 140whiteouts and opaque directories 141-------------------------------- 142 143In order to support rm and rmdir without changing the lower 144filesystem, an overlay filesystem needs to record in the upper filesystem 145that files have been removed. This is done using whiteouts and opaque 146directories (non-directories are always opaque). 147 148A whiteout is created as a character device with 0/0 device number. 149When a whiteout is found in the upper level of a merged directory, any 150matching name in the lower level is ignored, and the whiteout itself 151is also hidden. 152 153A directory is made opaque by setting the xattr "trusted.overlay.opaque" 154to "y". Where the upper filesystem contains an opaque directory, any 155directory in the lower filesystem with the same name is ignored. 156 157readdir 158------- 159 160When a 'readdir' request is made on a merged directory, the upper and 161lower directories are each read and the name lists merged in the 162obvious way (upper is read first, then lower - entries that already 163exist are not re-added). This merged name list is cached in the 164'struct file' and so remains as long as the file is kept open. If the 165directory is opened and read by two processes at the same time, they 166will each have separate caches. A seekdir to the start of the 167directory (offset 0) followed by a readdir will cause the cache to be 168discarded and rebuilt. 169 170This means that changes to the merged directory do not appear while a 171directory is being read. This is unlikely to be noticed by many 172programs. 173 174seek offsets are assigned sequentially when the directories are read. 175Thus if 176 177 - read part of a directory 178 - remember an offset, and close the directory 179 - re-open the directory some time later 180 - seek to the remembered offset 181 182there may be little correlation between the old and new locations in 183the list of filenames, particularly if anything has changed in the 184directory. 185 186Readdir on directories that are not merged is simply handled by the 187underlying directory (upper or lower). 188 189renaming directories 190-------------------- 191 192When renaming a directory that is on the lower layer or merged (i.e. the 193directory was not created on the upper layer to start with) overlayfs can 194handle it in two different ways: 195 1961. return EXDEV error: this error is returned by rename(2) when trying to 197 move a file or directory across filesystem boundaries. Hence 198 applications are usually prepared to handle this error (mv(1) for example 199 recursively copies the directory tree). This is the default behavior. 200 2012. If the "redirect_dir" feature is enabled, then the directory will be 202 copied up (but not the contents). Then the "trusted.overlay.redirect" 203 extended attribute is set to the path of the original location from the 204 root of the overlay. Finally the directory is moved to the new 205 location. 206 207There are several ways to tune the "redirect_dir" feature. 208 209Kernel config options: 210 211- OVERLAY_FS_REDIRECT_DIR: 212 If this is enabled, then redirect_dir is turned on by default. 213- OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW: 214 If this is enabled, then redirects are always followed by default. Enabling 215 this results in a less secure configuration. Enable this option only when 216 worried about backward compatibility with kernels that have the redirect_dir 217 feature and follow redirects even if turned off. 218 219Module options (can also be changed through /sys/module/overlay/parameters/): 220 221- "redirect_dir=BOOL": 222 See OVERLAY_FS_REDIRECT_DIR kernel config option above. 223- "redirect_always_follow=BOOL": 224 See OVERLAY_FS_REDIRECT_ALWAYS_FOLLOW kernel config option above. 225- "redirect_max=NUM": 226 The maximum number of bytes in an absolute redirect (default is 256). 227 228Mount options: 229 230- "redirect_dir=on": 231 Redirects are enabled. 232- "redirect_dir=follow": 233 Redirects are not created, but followed. 234- "redirect_dir=nofollow": 235 Redirects are not created and not followed. 236- "redirect_dir=off": 237 If "redirect_always_follow" is enabled in the kernel/module config, 238 this "off" translates to "follow", otherwise it translates to "nofollow". 239 240When the NFS export feature is enabled, every copied up directory is 241indexed by the file handle of the lower inode and a file handle of the 242upper directory is stored in a "trusted.overlay.upper" extended attribute 243on the index entry. On lookup of a merged directory, if the upper 244directory does not match the file handle stores in the index, that is an 245indication that multiple upper directories may be redirected to the same 246lower directory. In that case, lookup returns an error and warns about 247a possible inconsistency. 248 249Because lower layer redirects cannot be verified with the index, enabling 250NFS export support on an overlay filesystem with no upper layer requires 251turning off redirect follow (e.g. "redirect_dir=nofollow"). 252 253 254Non-directories 255--------------- 256 257Objects that are not directories (files, symlinks, device-special 258files etc.) are presented either from the upper or lower filesystem as 259appropriate. When a file in the lower filesystem is accessed in a way 260the requires write-access, such as opening for write access, changing 261some metadata etc., the file is first copied from the lower filesystem 262to the upper filesystem (copy_up). Note that creating a hard-link 263also requires copy_up, though of course creation of a symlink does 264not. 265 266The copy_up may turn out to be unnecessary, for example if the file is 267opened for read-write but the data is not modified. 268 269The copy_up process first makes sure that the containing directory 270exists in the upper filesystem - creating it and any parents as 271necessary. It then creates the object with the same metadata (owner, 272mode, mtime, symlink-target etc.) and then if the object is a file, the 273data is copied from the lower to the upper filesystem. Finally any 274extended attributes are copied up. 275 276Once the copy_up is complete, the overlay filesystem simply 277provides direct access to the newly created file in the upper 278filesystem - future operations on the file are barely noticed by the 279overlay filesystem (though an operation on the name of the file such as 280rename or unlink will of course be noticed and handled). 281 282 283Permission model 284---------------- 285 286Permission checking in the overlay filesystem follows these principles: 287 288 1) permission check SHOULD return the same result before and after copy up 289 290 2) task creating the overlay mount MUST NOT gain additional privileges 291 292 3) non-mounting task MAY gain additional privileges through the overlay, 293 compared to direct access on underlying lower or upper filesystems 294 295This is achieved by performing two permission checks on each access 296 297 a) check if current task is allowed access based on local DAC (owner, 298 group, mode and posix acl), as well as MAC checks 299 300 b) check if mounting task would be allowed real operation on lower or 301 upper layer based on underlying filesystem permissions, again including 302 MAC checks 303 304Check (a) ensures consistency (1) since owner, group, mode and posix acls 305are copied up. On the other hand it can result in server enforced 306permissions (used by NFS, for example) being ignored (3). 307 308Check (b) ensures that no task gains permissions to underlying layers that 309the mounting task does not have (2). This also means that it is possible 310to create setups where the consistency rule (1) does not hold; normally, 311however, the mounting task will have sufficient privileges to perform all 312operations. 313 314Another way to demonstrate this model is drawing parallels between 315 316 mount -t overlay overlay -olowerdir=/lower,upperdir=/upper,... /merged 317 318and 319 320 cp -a /lower /upper 321 mount --bind /upper /merged 322 323The resulting access permissions should be the same. The difference is in 324the time of copy (on-demand vs. up-front). 325 326 327Multiple lower layers 328--------------------- 329 330Multiple lower layers can now be given using the colon (":") as a 331separator character between the directory names. For example: 332 333 mount -t overlay overlay -olowerdir=/lower1:/lower2:/lower3 /merged 334 335As the example shows, "upperdir=" and "workdir=" may be omitted. In 336that case the overlay will be read-only. 337 338The specified lower directories will be stacked beginning from the 339rightmost one and going left. In the above example lower1 will be the 340top, lower2 the middle and lower3 the bottom layer. 341 342Note: directory names containing colons can be provided as lower layer by 343escaping the colons with a single backslash. For example: 344 345 mount -t overlay overlay -olowerdir=/a\:lower\:\:dir /merged 346 347Since kernel version v6.8, directory names containing colons can also 348be configured as lower layer using the "lowerdir+" mount options and the 349fsconfig syscall from new mount api. For example: 350 351 fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/a:lower::dir", 0); 352 353In the latter case, colons in lower layer directory names will be escaped 354as an octal characters (\072) when displayed in /proc/self/mountinfo. 355 356Metadata only copy up 357--------------------- 358 359When metadata only copy up feature is enabled, overlayfs will only copy 360up metadata (as opposed to whole file), when a metadata specific operation 361like chown/chmod is performed. Full file will be copied up later when 362file is opened for WRITE operation. 363 364In other words, this is delayed data copy up operation and data is copied 365up when there is a need to actually modify data. 366 367There are multiple ways to enable/disable this feature. A config option 368CONFIG_OVERLAY_FS_METACOPY can be set/unset to enable/disable this feature 369by default. Or one can enable/disable it at module load time with module 370parameter metacopy=on/off. Lastly, there is also a per mount option 371metacopy=on/off to enable/disable this feature per mount. 372 373Do not use metacopy=on with untrusted upper/lower directories. Otherwise 374it is possible that an attacker can create a handcrafted file with 375appropriate REDIRECT and METACOPY xattrs, and gain access to file on lower 376pointed by REDIRECT. This should not be possible on local system as setting 377"trusted." xattrs will require CAP_SYS_ADMIN. But it should be possible 378for untrusted layers like from a pen drive. 379 380Note: redirect_dir={off|nofollow|follow[*]} and nfs_export=on mount options 381conflict with metacopy=on, and will result in an error. 382 383[*] redirect_dir=follow only conflicts with metacopy=on if upperdir=... is 384given. 385 386 387Data-only lower layers 388---------------------- 389 390With "metacopy" feature enabled, an overlayfs regular file may be a composition 391of information from up to three different layers: 392 393 1) metadata from a file in the upper layer 394 395 2) st_ino and st_dev object identifier from a file in a lower layer 396 397 3) data from a file in another lower layer (further below) 398 399The "lower data" file can be on any lower layer, except from the top most 400lower layer. 401 402Below the top most lower layer, any number of lower most layers may be defined 403as "data-only" lower layers, using double colon ("::") separators. 404A normal lower layer is not allowed to be below a data-only layer, so single 405colon separators are not allowed to the right of double colon ("::") separators. 406 407 408For example: 409 410 mount -t overlay overlay -olowerdir=/l1:/l2:/l3::/do1::/do2 /merged 411 412The paths of files in the "data-only" lower layers are not visible in the 413merged overlayfs directories and the metadata and st_ino/st_dev of files 414in the "data-only" lower layers are not visible in overlayfs inodes. 415 416Only the data of the files in the "data-only" lower layers may be visible 417when a "metacopy" file in one of the lower layers above it, has a "redirect" 418to the absolute path of the "lower data" file in the "data-only" lower layer. 419 420Since kernel version v6.8, "data-only" lower layers can also be added using 421the "datadir+" mount options and the fsconfig syscall from new mount api. 422For example: 423 424 fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/l1", 0); 425 fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/l2", 0); 426 fsconfig(fs_fd, FSCONFIG_SET_STRING, "lowerdir+", "/l3", 0); 427 fsconfig(fs_fd, FSCONFIG_SET_STRING, "datadir+", "/do1", 0); 428 fsconfig(fs_fd, FSCONFIG_SET_STRING, "datadir+", "/do2", 0); 429 430 431fs-verity support 432---------------------- 433 434During metadata copy up of a lower file, if the source file has 435fs-verity enabled and overlay verity support is enabled, then the 436digest of the lower file is added to the "trusted.overlay.metacopy" 437xattr. This is then used to verify the content of the lower file 438each the time the metacopy file is opened. 439 440When a layer containing verity xattrs is used, it means that any such 441metacopy file in the upper layer is guaranteed to match the content 442that was in the lower at the time of the copy-up. If at any time 443(during a mount, after a remount, etc) such a file in the lower is 444replaced or modified in any way, access to the corresponding file in 445overlayfs will result in EIO errors (either on open, due to overlayfs 446digest check, or from a later read due to fs-verity) and a detailed 447error is printed to the kernel logs. For more details of how fs-verity 448file access works, see :ref:`Documentation/filesystems/fsverity.rst 449<accessing_verity_files>`. 450 451Verity can be used as a general robustness check to detect accidental 452changes in the overlayfs directories in use. But, with additional care 453it can also give more powerful guarantees. For example, if the upper 454layer is fully trusted (by using dm-verity or something similar), then 455an untrusted lower layer can be used to supply validated file content 456for all metacopy files. If additionally the untrusted lower 457directories are specified as "Data-only", then they can only supply 458such file content, and the entire mount can be trusted to match the 459upper layer. 460 461This feature is controlled by the "verity" mount option, which 462supports these values: 463 464- "off": 465 The metacopy digest is never generated or used. This is the 466 default if verity option is not specified. 467- "on": 468 Whenever a metacopy files specifies an expected digest, the 469 corresponding data file must match the specified digest. When 470 generating a metacopy file the verity digest will be set in it 471 based on the source file (if it has one). 472- "require": 473 Same as "on", but additionally all metacopy files must specify a 474 digest (or EIO is returned on open). This means metadata copy up 475 will only be used if the data file has fs-verity enabled, 476 otherwise a full copy-up is used. 477 478Sharing and copying layers 479-------------------------- 480 481Lower layers may be shared among several overlay mounts and that is indeed 482a very common practice. An overlay mount may use the same lower layer 483path as another overlay mount and it may use a lower layer path that is 484beneath or above the path of another overlay lower layer path. 485 486Using an upper layer path and/or a workdir path that are already used by 487another overlay mount is not allowed and may fail with EBUSY. Using 488partially overlapping paths is not allowed and may fail with EBUSY. 489If files are accessed from two overlayfs mounts which share or overlap the 490upper layer and/or workdir path the behavior of the overlay is undefined, 491though it will not result in a crash or deadlock. 492 493Mounting an overlay using an upper layer path, where the upper layer path 494was previously used by another mounted overlay in combination with a 495different lower layer path, is allowed, unless the "inodes index" feature 496or "metadata only copy up" feature is enabled. 497 498With the "inodes index" feature, on the first time mount, an NFS file 499handle of the lower layer root directory, along with the UUID of the lower 500filesystem, are encoded and stored in the "trusted.overlay.origin" extended 501attribute on the upper layer root directory. On subsequent mount attempts, 502the lower root directory file handle and lower filesystem UUID are compared 503to the stored origin in upper root directory. On failure to verify the 504lower root origin, mount will fail with ESTALE. An overlayfs mount with 505"inodes index" enabled will fail with EOPNOTSUPP if the lower filesystem 506does not support NFS export, lower filesystem does not have a valid UUID or 507if the upper filesystem does not support extended attributes. 508 509For "metadata only copy up" feature there is no verification mechanism at 510mount time. So if same upper is mounted with different set of lower, mount 511probably will succeed but expect the unexpected later on. So don't do it. 512 513It is quite a common practice to copy overlay layers to a different 514directory tree on the same or different underlying filesystem, and even 515to a different machine. With the "inodes index" feature, trying to mount 516the copied layers will fail the verification of the lower root file handle. 517 518 519Non-standard behavior 520--------------------- 521 522Current version of overlayfs can act as a mostly POSIX compliant 523filesystem. 524 525This is the list of cases that overlayfs doesn't currently handle: 526 527a) POSIX mandates updating st_atime for reads. This is currently not 528done in the case when the file resides on a lower layer. 529 530b) If a file residing on a lower layer is opened for read-only and then 531memory mapped with MAP_SHARED, then subsequent changes to the file are not 532reflected in the memory mapping. 533 534c) If a file residing on a lower layer is being executed, then opening that 535file for write or truncating the file will not be denied with ETXTBSY. 536 537The following options allow overlayfs to act more like a standards 538compliant filesystem: 539 5401) "redirect_dir" 541 542Enabled with the mount option or module option: "redirect_dir=on" or with 543the kernel config option CONFIG_OVERLAY_FS_REDIRECT_DIR=y. 544 545If this feature is disabled, then rename(2) on a lower or merged directory 546will fail with EXDEV ("Invalid cross-device link"). 547 5482) "inode index" 549 550Enabled with the mount option or module option "index=on" or with the 551kernel config option CONFIG_OVERLAY_FS_INDEX=y. 552 553If this feature is disabled and a file with multiple hard links is copied 554up, then this will "break" the link. Changes will not be propagated to 555other names referring to the same inode. 556 5573) "xino" 558 559Enabled with the mount option "xino=auto" or "xino=on", with the module 560option "xino_auto=on" or with the kernel config option 561CONFIG_OVERLAY_FS_XINO_AUTO=y. Also implicitly enabled by using the same 562underlying filesystem for all layers making up the overlay. 563 564If this feature is disabled or the underlying filesystem doesn't have 565enough free bits in the inode number, then overlayfs will not be able to 566guarantee that the values of st_ino and st_dev returned by stat(2) and the 567value of d_ino returned by readdir(3) will act like on a normal filesystem. 568E.g. the value of st_dev may be different for two objects in the same 569overlay filesystem and the value of st_ino for filesystem objects may not be 570persistent and could change even while the overlay filesystem is mounted, as 571summarized in the `Inode properties`_ table above. 572 573 574Changes to underlying filesystems 575--------------------------------- 576 577Changes to the underlying filesystems while part of a mounted overlay 578filesystem are not allowed. If the underlying filesystem is changed, 579the behavior of the overlay is undefined, though it will not result in 580a crash or deadlock. 581 582Offline changes, when the overlay is not mounted, are allowed to the 583upper tree. Offline changes to the lower tree are only allowed if the 584"metadata only copy up", "inode index", "xino" and "redirect_dir" features 585have not been used. If the lower tree is modified and any of these 586features has been used, the behavior of the overlay is undefined, 587though it will not result in a crash or deadlock. 588 589When the overlay NFS export feature is enabled, overlay filesystems 590behavior on offline changes of the underlying lower layer is different 591than the behavior when NFS export is disabled. 592 593On every copy_up, an NFS file handle of the lower inode, along with the 594UUID of the lower filesystem, are encoded and stored in an extended 595attribute "trusted.overlay.origin" on the upper inode. 596 597When the NFS export feature is enabled, a lookup of a merged directory, 598that found a lower directory at the lookup path or at the path pointed 599to by the "trusted.overlay.redirect" extended attribute, will verify 600that the found lower directory file handle and lower filesystem UUID 601match the origin file handle that was stored at copy_up time. If a 602found lower directory does not match the stored origin, that directory 603will not be merged with the upper directory. 604 605 606 607NFS export 608---------- 609 610When the underlying filesystems supports NFS export and the "nfs_export" 611feature is enabled, an overlay filesystem may be exported to NFS. 612 613With the "nfs_export" feature, on copy_up of any lower object, an index 614entry is created under the index directory. The index entry name is the 615hexadecimal representation of the copy up origin file handle. For a 616non-directory object, the index entry is a hard link to the upper inode. 617For a directory object, the index entry has an extended attribute 618"trusted.overlay.upper" with an encoded file handle of the upper 619directory inode. 620 621When encoding a file handle from an overlay filesystem object, the 622following rules apply: 623 6241. For a non-upper object, encode a lower file handle from lower inode 6252. For an indexed object, encode a lower file handle from copy_up origin 6263. For a pure-upper object and for an existing non-indexed upper object, 627 encode an upper file handle from upper inode 628 629The encoded overlay file handle includes: 630 - Header including path type information (e.g. lower/upper) 631 - UUID of the underlying filesystem 632 - Underlying filesystem encoding of underlying inode 633 634This encoding format is identical to the encoding format file handles that 635are stored in extended attribute "trusted.overlay.origin". 636 637When decoding an overlay file handle, the following steps are followed: 638 6391. Find underlying layer by UUID and path type information. 6402. Decode the underlying filesystem file handle to underlying dentry. 6413. For a lower file handle, lookup the handle in index directory by name. 6424. If a whiteout is found in index, return ESTALE. This represents an 643 overlay object that was deleted after its file handle was encoded. 6445. For a non-directory, instantiate a disconnected overlay dentry from the 645 decoded underlying dentry, the path type and index inode, if found. 6466. For a directory, use the connected underlying decoded dentry, path type 647 and index, to lookup a connected overlay dentry. 648 649Decoding a non-directory file handle may return a disconnected dentry. 650copy_up of that disconnected dentry will create an upper index entry with 651no upper alias. 652 653When overlay filesystem has multiple lower layers, a middle layer 654directory may have a "redirect" to lower directory. Because middle layer 655"redirects" are not indexed, a lower file handle that was encoded from the 656"redirect" origin directory, cannot be used to find the middle or upper 657layer directory. Similarly, a lower file handle that was encoded from a 658descendant of the "redirect" origin directory, cannot be used to 659reconstruct a connected overlay path. To mitigate the cases of 660directories that cannot be decoded from a lower file handle, these 661directories are copied up on encode and encoded as an upper file handle. 662On an overlay filesystem with no upper layer this mitigation cannot be 663used NFS export in this setup requires turning off redirect follow (e.g. 664"redirect_dir=nofollow"). 665 666The overlay filesystem does not support non-directory connectable file 667handles, so exporting with the 'subtree_check' exportfs configuration will 668cause failures to lookup files over NFS. 669 670When the NFS export feature is enabled, all directory index entries are 671verified on mount time to check that upper file handles are not stale. 672This verification may cause significant overhead in some cases. 673 674Note: the mount options index=off,nfs_export=on are conflicting for a 675read-write mount and will result in an error. 676 677Note: the mount option uuid=off can be used to replace UUID of the underlying 678filesystem in file handles with null, and effectively disable UUID checks. This 679can be useful in case the underlying disk is copied and the UUID of this copy 680is changed. This is only applicable if all lower/upper/work directories are on 681the same filesystem, otherwise it will fallback to normal behaviour. 682 683 684UUID and fsid 685------------- 686 687The UUID of overlayfs instance itself and the fsid reported by statfs(2) are 688controlled by the "uuid" mount option, which supports these values: 689 690- "null": 691 UUID of overlayfs is null. fsid is taken from upper most filesystem. 692- "off": 693 UUID of overlayfs is null. fsid is taken from upper most filesystem. 694 UUID of underlying layers is ignored. 695- "on": 696 UUID of overlayfs is generated and used to report a unique fsid. 697 UUID is stored in xattr "trusted.overlay.uuid", making overlayfs fsid 698 unique and persistent. This option requires an overlayfs with upper 699 filesystem that supports xattrs. 700- "auto": (default) 701 UUID is taken from xattr "trusted.overlay.uuid" if it exists. 702 Upgrade to "uuid=on" on first time mount of new overlay filesystem that 703 meets the prerequites. 704 Downgrade to "uuid=null" for existing overlay filesystems that were never 705 mounted with "uuid=on". 706 707 708Volatile mount 709-------------- 710 711This is enabled with the "volatile" mount option. Volatile mounts are not 712guaranteed to survive a crash. It is strongly recommended that volatile 713mounts are only used if data written to the overlay can be recreated 714without significant effort. 715 716The advantage of mounting with the "volatile" option is that all forms of 717sync calls to the upper filesystem are omitted. 718 719In order to avoid a giving a false sense of safety, the syncfs (and fsync) 720semantics of volatile mounts are slightly different than that of the rest of 721VFS. If any writeback error occurs on the upperdir's filesystem after a 722volatile mount takes place, all sync functions will return an error. Once this 723condition is reached, the filesystem will not recover, and every subsequent sync 724call will return an error, even if the upperdir has not experience a new error 725since the last sync call. 726 727When overlay is mounted with "volatile" option, the directory 728"$workdir/work/incompat/volatile" is created. During next mount, overlay 729checks for this directory and refuses to mount if present. This is a strong 730indicator that user should throw away upper and work directories and create 731fresh one. In very limited cases where the user knows that the system has 732not crashed and contents of upperdir are intact, The "volatile" directory 733can be removed. 734 735 736User xattr 737---------- 738 739The "-o userxattr" mount option forces overlayfs to use the 740"user.overlay." xattr namespace instead of "trusted.overlay.". This is 741useful for unprivileged mounting of overlayfs. 742 743 744Testsuite 745--------- 746 747There's a testsuite originally developed by David Howells and currently 748maintained by Amir Goldstein at: 749 750 https://github.com/amir73il/unionmount-testsuite.git 751 752Run as root: 753 754 # cd unionmount-testsuite 755 # ./run --ov --verify 756