linuxdockeroverlaypartitionmount-point

Why does docker/overlay2 show up as a separate mountpoint?

I am running docker on a RHEL7.9 machine we hope to host webservices and a few other applications.

$ docker info
Client:
 Context:    default
 Debug Mode: false
 Plugins:
  app: Docker App (Docker Inc., v0.9.1-beta3)
  buildx: Build with BuildKit (Docker Inc., v0.5.1-docker)
  scan: Docker Scan (Docker Inc., v0.8.0)

Server:
 Containers: 22
  Running: 22
  Paused: 0
  Stopped: 0
 Images: 16
 Server Version: 20.10.7
 Storage Driver: overlay2
  Backing Filesystem: xfs
  Supports d_type: true
  Native Overlay Diff: true
  userxattr: false
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
 Cgroup Version: 1
 Plugins:
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: runc io.containerd.runc.v2 io.containerd.runtime.v1.linux nvidia
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 7eba5930496d9bbe375fdf71603e610ad737d2b2
 runc version: v1.0.0-0-g84113ee
 init version: de40ad0
 Security Options:
  seccomp
   Profile: default
 Kernel Version: 3.10.0-1160.24.1.el7.x86_64
 Operating System: Red Hat Enterprise Linux
 OSType: linux
 Architecture: x86_64
 CPUs: 80
 Total Memory: 503.3GiB
 Name: <not relevant>
 ID: <not relevant>
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Username: <not relevant>
 Registry: https://index.docker.io/v1/
 Labels:
 Experimental: false
 Insecure Registries:
  127.0.0.0/8
 Live Restore Enabled: true

I have /var/lib/docker under it's own partition as part of security protocol. I did this after initial setup of the system.

$ grep '/var/lib/docker\s' /proc/mounts
/dev/mapper/afsys-var_lib_docker /var/lib/docker xfs rw,seclabel,relatime,attr2,inode64,sunit=512,swidth=512,noquota 0 0

$ mountpoint -- "$(docker info -f '{{ .DockerRootDir }}')"
/var/lib/docker is a mountpoint

I am unsure if things are configured correctly - specifically some of the overlay storage is showing up in separate mountpoints on filesystem. I'm unsure if this is expected.. or a byproduct of partitioning /var/lib/docker AFTER we setup the system and had previously built images/containers.

$ df
Filesystem                        1K-blocks      Used  Available Use% Mounted on
devtmpfs                          263885104         0  263885104   0% /dev
tmpfs                             263899860         0  263899860   0% /dev/shm
tmpfs                             263899860   4181840  259718020   2% /run
tmpfs                             263899860         0  263899860   0% /sys/fs/cgroup
/dev/mapper/sys-root           9763538944 135472276 9628066668   2% /
/dev/sdf1                            972452    264664     707788  28% /boot
/dev/mapper/sys-maintenance     976087296     34336  976052960   1% /maintenance
/dev/mapper/sys-tmp             976087296     34472  976052824   1% /tmp
/dev/mapper/sys-var             976087296  54178732  921908564   6% /var
/dev/mapper/sys-var_lib_docker  524032000  62655660  461376340  12% /var/lib/docker
/dev/mapper/sys-var_log         976087296   2079404  974007892   1% /var/log
/dev/mapper/sys-var_log_audit   976087296     73968  976013328   1% /var/log/audit
/dev/mapper/sys-home           9763538944  36080988 9727457956   1% /home
tmpfs                              52779976         0   52779976   0% /run/user/1001
tmpfs                              52779976         0   52779976   0% /run/user/0
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/458fdb1acf9be0a10f3627ac8bffad5311542f6d66de976bed3f19b437f76d57/merged
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/04015d24492d44b0b350a1b118904bbd620cb6554a4f10fb6000be1945b00e23/merged
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/688ba6b06a96b2dbeb1602c91f36c69f4a2b55a731887c44b0d8ed496698099f/merged
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/6cafdb8e46dd04a2b0bcc9982906f83ec706d8fe7980b62a20fbb45c7439be74/merged
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/7d715bcebb32eb144166a48289816b7aad3247aff9a6289e78552f349ad32293/merged
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/50beb5caa2817b62388fffe73cc736dbb80ef5553d5b881f6393316b22d3d415/merged
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/0b5ce085bf279805aa3fb04329d1ff6c96c0ea487a81db0f6c62619b0ef12eab/merged
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/7386a81809e579aac138c1e0449a32f23063258f5c4131df676deeb26924e5bb/merged
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/f180488020c76514e0c4cf3ec651e31ac6b712d71e3dd066996c810f5c44cae6/merged
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/e7aff65debb3b2200fe209b54e225419bf00f3d18e99caadde06249c67f70dce/merged
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/3f5a54dae289b0169088e506229a5e75a54eb084a7e9eb7d191393bb0d922e1b/merged
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/498b74db68c80bd88805bd4511c44c87624b00b53563250899fb821770a4c13c/merged
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/e964f314751256feb5f0e2224d6306fabe500f4817bb5e2df2b9598f157032da/merged
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/3ee10a1cb42e0028ef19072b878277f09c079440bdb9696d240ec7240aaf30f6/merged
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/fc39cf63c7f11715ba366aa363b0bbe311109396bbad579d64cb8a86636f11f6/merged
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/1dae92df5c219ca2fad777e8544101fce4c9d67da7004a1860ba3823b0e94f26/merged
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/96450a2ec1c860f2b94d31347a8586a720bb72b4d75b30d716954f96bb3044a5/merged
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/76a3e24abd07a441247d9ebd515c68001be8f146b1ed9d8e1ac9f03f290f6591/merged
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/6cdf52c19bf11696c84190e4be40cc25ea553621670f142400f782324bda6d9a/merged
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/c26d05d70bbf4e09900fc02b9a94e96b23b89c118f6a4b8eb840e22d9e2de34d/merged
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/6426313243beafaa3059d43d7d6cb5c9954bdf9363012555dae59807657e58d5/merged
overlay                           524032000  62655660  461376340  12% /var/lib/docker/overlay2/24d8c3c58b23f68c820bd624c8a7ec4902219ede1acdbb1336b055045e5d3c25/merged

Please forgive me if I am misinterpreting, but needed a sanity check and/or to be given advice on how to best configure so these overlays don't show up as separate mounts.

Solution

  • Why Docker uses overlayfs

    Docker containers are composed of multiple layers. Docker needs to be able to efficiently combine layers, and add and remove those layers efficiently. To combine those layers, Docker uses a storage driver such as overlayfs or aufs.

    These filesystems count as mounts, so they show up in tools such as mount or df.

    I have /var/lib/docker under it's own partition as part of security protocol. I did this after initial setup of the system.

    I believe Docker supports this. I see no reason why this wouldn't work. The only caveat I can think of is that if you had containers before creating this partition, then mounting that partition would shadow those containers, therefore making any containers created before the partition was created inaccessible.

    Excluding overlay from df

    If you want to avoid seeing these in the output of df, you can use this command:

    df -x overlay