š Introduction
Docker remains the most popular container runtime for developers and sysadmins, but starting from Docker Engine v29.x, significant internal architecture changes have emerged. These changes impact how container images are stored, where layered filesystems exist, and how Docker integrates with its underlying containerd runtime.
This guide covers:
- Major differences between Docker ā¤28 and v29+
- Internal storage layout changes
- Impacts on developers and administrators
- How to inspect image and container layers now
- Migration and compatibility guidance
š§± Docker Architecture ā Before v29
In earlier Docker versions (up to v28.x):
| Feature | Description |
|---|---|
| Image Storage | Docker used its āGraphDriverā model, storing image layers under /var/lib/docker/overlay2/ or similar (e.g., aufs, btrfs) |
| Container Storage | Containers used a writable layer on top of the image root filesystem, served by the same driver (overlay2) |
| Image Metadata | Found under /var/lib/docker/image/<driver>/layerdb/ |
| Docker Internal Runtime | Docker used its own embedded runtime (dockerd), talking directly to container execution (runc) |
| Networking | Docker relied on iptables to manage NAT, firewall rules, port forwarding, and DOCKER-USER chains |
| Minimum API Versions | Docker Engine accepted older client versions (v1.24+) depending on the server version |
š What’s New in Docker 29.x?
šÆ Key Changes
| Area | Whatās Changed in Docker v29+ | Why It Matters |
|---|---|---|
| Storage Model | Docker adopts containerdās native image store + snapshotter as default | Massive change: image layers are no longer under /var/lib/docker/image/... but under /var/lib/containerd/... |
| Image Layer Paths | Layers are stored in: /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/<id>/fs/ | If youāre looking for layer data for forensic or debug, this path is now standard |
| Container RootFS Path | Merged runtime container filesystem is now under: /var/lib/docker/rootfs/overlayfs/<container-id>/ | A clean split between image storage (containerd) and runtime (docker) |
| Networking Support | Experimental support for nftables (in addition to iptables) | Future-proofing for systems where iptables is deprecated |
| API Version | Minimum Docker API version is now 1.44 | Older clients or tools using old SDKs will need updates |
| Go Module Migration | Docker Engine (moby) fully migrated to Go modules | Easier version tracking and imports for developers |
| Legacy Storage Driver Deprecation | Direct usage of overlay2/aufs āgraph driversā is being phased out | All new installs use containerd snapshotters by default |
š Storage Layout ā Then vs Now
Before Docker v29:
/var/lib/docker/
āāā overlay2/ # Data for layers and containers
āāā containers/
āāā image/
ā āāā overlay2/
ā āāā layerdb/
Code language: PHP (php)Docker v29 and after:
/var/lib/docker/
āāā rootfs/overlayfs/ # Merged rootfs for active containers
āāā containers/
āāā volumes/
# Image layers are now here:
/var/lib/containerd/
āāā io.containerd.content.v1.content/
āāā io.containerd.snapshotter.v1.overlayfs/
ā āāā snapshots/<id>/fs # Physical image layer content
Code language: PHP (php)š§ Developer Notes
- Image Developers: Image layers are now under
/var/lib/containerd/...ā not/var/lib/docker/.... - Container Debuggers: Live container filesystems are still under
/var/lib/docker/rootfs/.... - Storage Tools: Tools that scanned
/var/lib/docker/image/will need updates for Docker 29+. - DevOps Pipelines: Docker API version must be ā„1.44 ā update older SDKs or CI automation.
- Advanced Users: Use
ctrornerdctlto inspect containerd-managed snapshots.
š ļø Practical Examples
š§¾ Retrieve Image Snapshot Info via ctr:
ctr -n moby images ls | grep <image>
ctr -n moby image info docker.io/<image>:tag
ctr -n moby snapshots ls
Code language: HTML, XML (xml)šļø View Image Layer Contents:
cd /var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/<id>/fs
ls -al
Code language: JavaScript (javascript)š§¾ Inspect Container RootFS:
cd /var/lib/docker/rootfs/overlayfs/<container-id>/
ls -al
Code language: JavaScript (javascript)ā ļø Impact and Migration Guidance
- Existing Hosts:
- Docker v29 does not force migration ā your existing overlay2/aufs data is retained.
- Plan carefully if manually moving to containerd storage backend.
- New Installations:
- Automatically use containerd image store and snapshotter ā follow the new paths.
- Tools & Plugins:
- Ensure compatibility with API 1.44+ and the containerd layout.
- Update scanning, backup, and forensic tools accordingly.
- CI/CD Agents:
- Ensure Docker SDK versions, client libraries, and API calls are upgraded.
š§ Conclusion
Docker v29 is a major evolutionary jump, aligning Docker more deeply with containerdās architecture, cleaning up storage models, modernizing networking, and improving modularity.
This change benefits the ecosystem ā but requires awareness and adaptation from developers, administrators, and tool maintainers.
Key paths to remember:
- Image Layers:
/var/lib/containerd/io.containerd.snapshotter.v1.overlayfs/snapshots/<snapshot-id>/fs - Container Filesystems:
/var/lib/docker/rootfs/overlayfs/<container-id>/
Iām a DevOps/SRE/DevSecOps/Cloud Expert passionate about sharing knowledge and experiences. I have worked at Cotocus. I share tech blog at DevOps School, travel stories at Holiday Landmark, stock market tips at Stocks Mantra, health and fitness guidance at My Medic Plus, product reviews at TrueReviewNow , and SEO strategies at Wizbrand.
Do you want to learn Quantum Computing?
Please find my social handles as below;
Rajesh Kumar Personal Website
Rajesh Kumar at YOUTUBE
Rajesh Kumar at INSTAGRAM
Rajesh Kumar at X
Rajesh Kumar at FACEBOOK
Rajesh Kumar at LINKEDIN
Rajesh Kumar at WIZBRAND
