Copy-on-Write Explained
LEVEL 0
The Problem
You run a container from an image. The container needs to modify a file that came from the image. But image layers are read-only. How can the container write?
LEVEL 1
The Concept — Writing on Transparent Sheets
The Concept
Remember our transparent sheet analogy?
Image layers are like sheets that are laminated — you can’t write on them. They’re permanently fixed.
When you run a container, Docker gives you a new, blank transparent sheet on top. This is your writable layer.
Now, what if you need to modify something that’s on a lower, laminated sheet?
You can’t modify it directly. Instead, you copy it to your blank sheet on top, then modify the copy. The original stays unchanged. Anyone looking from above sees your modified version because it’s on top.
This is Copy-on-Write (CoW).
LEVEL 2
The Mechanics — CoW in Action
The Mechanics
Reading a File
- Container requests
/app/config.yaml - Docker looks in writable layer — not there
- Docker looks in image layers — found in layer 3
- Docker returns the file from layer 3
No copying needed for reads. Fast.
Writing to an Existing File
- Container wants to write to
/app/config.yaml - Docker finds the file in layer 3
- Docker copies
/app/config.yamlfrom layer 3 to writable layer - Container modifies the copy in writable layer
- Original in layer 3 is unchanged
The “copy-on-write” happens at the first write.
Creating a New File
- Container creates
/app/newfile.txt - Docker writes it directly to the writable layer
- No copying needed — it’s a new file
Deleting a File
- Container deletes
/app/oldfile.txt - File exists in an image layer (can’t actually delete)
- Docker creates a “whiteout” marker in writable layer
- The file appears deleted when looking from above
LEVEL 3
Implications
Image Layers Are Safe
No matter what a container does, image layers are never modified. 100 containers can run from the same image, all “modifying” files, and the image stays pristine.
First Write Is Expensive
The first time you modify a large file, Docker copies it to the writable layer. Modifying a 1GB file means copying 1GB. Subsequent writes to that file are fast (already in writable layer).
Container State Is Temporary
Everything in the writable layer is lost when the container is removed. This is why volumes exist — for persistent data.
LEVEL 4
Storage Drivers
Docker uses “storage drivers” to implement this layered filesystem. Different drivers have different performance characteristics:
- overlay2 — Modern Linux default, good performance
- devicemapper — Older, more complex
- btrfs/zfs — For those filesystems
The concept of layers and CoW is the same; implementation details vary.