Docker Deep Dive
by Sergey Okinchuk
Image OptimizationThe Writable Layer and Copy-on-Write

Chapter Six

Storage

Where a container's writes actually go, and why they vanish when the container does. The thin writable layer and copy-on-write, the three ways to keep data outside it — named volumes, bind mounts, tmpfs — the volume lifecycle and the anonymous-volume sprawl that fills disks, bind mounts in development and the directory-clobbering footgun, volume drivers that reach past the local disk, and the backup pattern that turns a volume into something you can actually restore.

6 topics

A container is disposable, and so is everything it writes to its own filesystem. That single fact is the reason this chapter exists: Driftwood's db container loses every bookmark the moment it's replaced, because Postgres wrote into the container's writable layer instead of somewhere durable. The fix is a named volume, and the chapter builds out from there into the full catalog of how data leaves the disposable layer.

The shape of the chapter follows the shape of the problem. First, where writes go and why copy-on-write makes them both slow and ephemeral. Then the three places to put data instead — a Docker-managed named volume, a host path bind-mounted in, or a RAM-only tmpfs — and how to tell which one a flag actually selects. Then the named-volume lifecycle and the anonymous volumes that pile up unnoticed, bind mounts as the development workflow and their sharpest footgun, volume drivers for storage that isn't this host's local disk, and finally the backup pattern that protects data Docker itself will not back up for you.

Topics in This Chapter

Topic 33
The Writable Layer and Copy-on-Write
Every container gets one thin read-write layer over the image's read-only layers, and it dies with the container. Copy-on-write copies a whole file up on first write, whiteouts hide deletes without reclaiming space, and durable data has to live elsewhere.
LayersCopy-on-write
Topic 34
Volumes vs Bind Mounts vs tmpfs
The three ways to put data outside the writable layer. A named volume is Docker-managed storage, a bind mount is an exact host path, a tmpfs lives in RAM only. The mount syntax read in words, and which one each job calls for.
VolumesMounts
Topic 35
Named Volumes and the Volume Lifecycle
A named volume outlives every container that mounts it — create, inspect, remove, prune. Anonymous volumes and the VOLUME instruction that quietly creates one per run, the sprawl that fills /var/lib/docker, and the -v flag that deletes data.
LifecycleVolumes
Topic 36
Bind Mounts in Development
A host directory mapped straight in, so an edit on the host is the file the container runs. The clobber footgun that hides installed dependencies, read-only mounts for config, and the UID mismatch that leaves root-owned files behind.
FootgunDev workflow
Topic 37
Volume Drivers and Remote Storage
Every volume has a driver, and local — this host's disk — is the default. Driver options and plugins back a volume with NFS or cloud storage, but coordinated multi-host storage is an orchestration problem, not a Docker volume flag.
DriversRemote storage
Topic 38
Backups, Migration, and Persistence Patterns
Docker has no backup command. The throwaway helper container that tars a volume out to the host, why a live database needs a quiesced or logical backup, and the rule underneath it all: application in the image, data in the volume.
BackupsPersistence